[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    [ZH2005-16SA] Insecure temporary file creation in Skype for Linux
From:       badpenguin () zone-h ! org
Date:       2005-07-16 9:23:03
Message-ID: 20050716092303.25257.qmail () securityfocus ! com
[Download RAW message or body]

[ZH2005-16SA] Insecure temporary file creation in Skype for Linux


Application: Skype for Linux
Version affected: <= 1.1.0.20
Vendor website : http://www.skype.com


Author: Giovanni Delvecchio
e-mail: badpenguin at zone-h.org



About Skype
==========
Skype is a free program that uses the latest P2P technology to bring affordable and \
high-quality voice communications to people all over the  world. It also provides a \
service of Instant Messaging.



Details
======
Each user has his own profile which can be personalized with a picture. When a user \
adds a picture for his profile, Skype creates in /tmp directory a file named \
"skype_profile.jpg" in an insecure manner, without checking if the file already \
exists and if it's a symbolic link.

-----------------------------------------------------------------------------------------------------------------------------------------
 bad@badpenguin:~/skype-1.1.0.20$ strace -e trace=open skype
.
.
open("/home/bad/image.jpg", O_RDONLY|O_LARGEFILE) = 21 // picture chosen by user
open("/tmp/skype_profile.jpg", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 23 // \
                insecure temporary file creation (it should use O_EXCL or O_NOFOLLOW \
                flag)
.
.
------------------------------------------------------------------------------------------------------------------------------------------



This could represent a security problem in a multi-user environment because usually \
/tmp directory is "world-writable". Indeed, such problem could be exploited by a \
malicious local user via symlink attack to overwrite arbitrary files with the \
privileges of the user that running Skype.


Example:

ln -s file_to_overwrite /tmp/skype_profile.jpg

When the user will add a picture for his profile , the file symlinked by attacker \
will be overwritten with the file content that the user has chosen  to update his \
profile.

In certain conditions a privilege escalation is possible.
An example of privilege escalation exploiting this type of vulnerability is the \
following:

from http://www.securityfocus.com/archive/82/327361/2003-06-29/2003-07-05/0 :

"Starting release 9, Red Hat ships and uses pam_timestamp_check.so module \
(accompanied by /sbin/pam_timestamp_check setuid helper), a part of the new pam-0.75 \
(Pluggable Authentication Modules) package. PAM is a generic centralized \
authentication and session management component that is also shipped by an increasing \
number of other distributions, so it is reasonable that the code is about to \
propagate to other distros. The module mentioned implements a credential caching \
functionality, very closely inspired on a tty ticketing system used in sudo. The way \
the module works(and sudo), in essence, is that it gets current pseudo-terminal name \
A, current user name B, and the user for which credentials are cached, C (usually \
root for Red Hat applications, user himself for sudo). Then the code checks for \
                /var/run/sudo/B/A:C (or
/var/run/sudo/B/A if B == C), and if the file is recent (regardless of its content), \
the module returns success, and enables the user to skip the usual password \
authentication.

Since there's no check for file origin, it should be more than obvious that suddenly, \
any insecure file creation problem in an application used by a  superuser,it is \
possible to spoof a ticket in /var/run and bypass root password prompt and other \
checks, and perform administrative tasks, easily  modifying system config, installing \
custom components (say, a rootshell), etc. All this by crafting a single symlink that \
is later opened with O_CREAT with no O_EXCL or O_NOFOLLOW.


Example:
----------------------------------------------------------------------------------------
 #!/bin/sh

#get current terminal number from /dev/pts/xx
terminal_number=`tty | cut -f4 -d '/'`

user_ticket=$USER/$terminal_number:root
ln -s /var/run/sudo/$user_ticket /tmp/skype_profile.jpg
---------------------------------------------------------------------------------------------




Solution
========
No fix available at the moment;
Grant only trusted users writing access to /tmp directory .



Timeline
========
07 April 2005 - bug dicovered

08 April 2005 - Skype contacted by security at skype.net

14 April 2005 - 1th Response from Skype:
"Thank you for the email, we will pass it on to our developers.
Regards,
Andres"

25 May 2005 - Skype for Linux version 1.1.0.13 released, the problem is present \
again.

27 May 2005 - Skype re-contacted by security at skype.net

27 May 2005 - 2th Response from Skype:
"Giovanni, Thank you for the email again. I've spoken to our Linux developers and \
they assure me this will be fixed in the next version and  they are considering \
posting an immediate advisory. Again, your help is appreciated.
Regards,
Andres"

5 July 2005 - Skype for Linux version 1.1.0.20 released, but the bug hasn't been \
fixed.

15 July 205 - Public advisory



Author's Note
=============
Although this type of vulnerability isn't a problem for a single desktop user, \
instead it could represent a problem in a multi user environment. For example, Skype \
is used by many companies with some hundred of employees, and in such environment \
several users have access on an host, locally or remotely . Any user,even with low \
privileges, could exploit this type vulnerabily to overwrite or create arbitrary \
files with the privileges of  the user that running Skype, and in certain case \
conduct a privilege escalation. A study made by CERT (Computer Emergency Response \
Team) called ITS (Insider Thread Study) shows like many times the incidents in \
companies are pepetrated by insider (eg. current or former employees ). So, i think \
that in these conditions this bug may represent a security problem , and Skype should \
fix it quickly.



Reference
=========
http://www.zone-h.org/advisories/read/id=7808


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic