Security vulnerability in automake

Sat, 01 Jun 2002 15:11:58 -0700 

I was learning Automake last night, and I think I found a security
vulnerability. I'm not sure if this is already known, but I couldn't
find it on Bugtraq. The security vulnerability is the insecure
creation of temporary files in the config.guess script which leads
to a race condition.

In the config.guess script, there's a line that says:

dummy=dummy-$$

And further down...

echo "int dummy(){}" > $dummy.c ;

An attacker can create a number of symbolic links called
dummy-PID.c pointing to important files like /etc/passwd. PID in
this case would be the attacker's guesses on what the PID of the
config.guess script will run as. If root runs ./configure in a
source tree containing these malicious symlinks, and if the
configure script in turn runs config.guess, the /etc/passwd file
may potentially be overwritten with "int dummy(){}", resulting in
a denial of service attack.

Of course, we all know root shouldn't be running configure, but I
still feel that this is a potential vulnerability that needs to be
fixed.

Apart from dummy-$$.c, the other temporary files that are created
are dummy-$$.s and dummy-$$.rel.

My recommendations are:

1. Check if the dummy file exists. If it does, append a number to
   it. If that still exists, keep changing that number until we
   come up with a filename that does not already exist (this is
   similar to mutt's temporary files /tmp/mutt-HOSTNAME-PID-SOMENUM);
   or

2. Use a random hash value instead of the process ID ($$), which
   would be the preferred alternative. However, I don't know how
   feasible it is to do this in a simple, portable way that's
   consistent with Automake.

I've written a proof-of-concept exploit in C, which was pretty trivial
to write. If anyone's interested (and if it's appropriate), I'll post
the code here.

I've tested this on:

automake 1.4p4 on Debian GNU/Linux 3.0 (testing)
automake 1.5 on Slackware 8.0 current

Other automake versions may be vulnerable as well. The line also
appears in config.guess of automake 1.6.1, but I did not test it.

Lawrence Teo

--
Lawrence Teo
lcteo at uncc dot edu
http://www.coe.uncc.edu/~lcteo

_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com

Reply via email to