> Well, yes and no. Let's take the following case: > 1) You're using software which creates then executes a temporary file > as .progname.day-of-month > 2) The attacker knows this and has a remote attack to populate this > file in /tmp to give themselves root access > 3) You've globally defined TMPDIR to be /tmp/42/ > 4) Attack fails
Yes, let's examine this: 2): Why is it believed that such a trick will automagically allow an attacker to execute a self-made program with elevated privileges, like root? There are only two possible ways this could occur: a): Clamav were to run as root (and consequently run ..progname.day-of-month as root too), which is plain stupid. b): .progname.day-of-month were set owner root and u+s (setuid) or some such, so that Clamav, running as, say, user clamav, would execute ..progname.day-of-month as root. But, as David already pointed out, if the attacker already has the ability to create a file owned by root, then everything else is moot. Also, where does the idea come from that a symlink will magically bring the attacker root access? If .progname.day-of-month were a symlink, then please, anyone, show me to what sort of file this symlink could point to that would suddenly allow the attacker to gain root-access? Okay, the argument could be that an already existing ..progname.day-of-month could contain code the attacker pre-put in. That's what O_EXCL should have prevented. But assuming Clamav were fooled in such a way, then if .progname.day-of-month were a program Clamav created, then wrote to, then executed, then how successful you think Clamav's writes to ..progname.day-of-month would be? Either writes to it would fail, no doubt causing an unrecoverable I/O error, or writes to it would succeed, in which case the attacker's file simply gets overwritten. Also, on FreeBSD, we set /tmp +t, which means items in /tmp can be renamed or deleted only by the item's owner. In short, I fail to see what the fuss is all about. O_EXCL should have been there, but it's a minor bug -- especially since the TS initially failed to realize there was randomness, after all (though it could be improved upon). I see no realistic possibilities for exploits. But I'm of course open to hearing how someone thinks a realistic attack could be mounted with it. - Mark _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
