Friday, May 23, 2008

Temporary files -- yer doin it wrong

The number of security vulnerabilities I've discovered over the years that have started from casually observing how a particular system operates is a non-trivial amount. I don't recall where i was reading this or what the exact wording was, but it boiled down to the fact that some of the best hacker minds are those that act upon the thoughts that start with "I wonder what happens if I ..". They say that curiosity killed the cat. What about the hacker? I have this great picture of myself when I was probably 6 or 7. I had a dozen D cell batteries taped together in series hooked up to a small DC motor I had ripped out of one of my toys. My desk or the family workbench had met it's maker. And then there was the time I cut the power cord off the back of my broken alarm clock, split the leads and taped them to a dead 9V battery. A poor mans recharger, right? Wrong. A convenient way to splatter battery acid and toxic fumes all over my room.

I have this nervous habit that every time I open a terminal or change directories, I type ls. Besides an overly large bash/zsh history file, this actually led me to stumble up on a number of temporarily files, directories and other things that an application may litter in a directory as part of its normal operations. Right now, list the contents of /tmp. Aside from random files you stashed there for lack of space elsewhere, you'll almost certainly see files that were dropped there by applications that have run recently on your system.

If you have any sort of security background, you can see where this is going. The problem is that these applications don't always handle all situations carefully when it comes to temporary files. What if the file already exists? Symlinks? What if the directory is owned by another user, but is world writable? What if the filename is predictable? These are the breeding grounds for race conditions, symlink attacks and other related security vulnerabilities.

The result is tmpsnarl, a quick little script designed to look for and capture temporary files, directories, sockets, symlinks and the like in the hopes of being able to exploit the above mentioned vulnerabilities. I've used this tool to re-discover some of my past vulnerabilities, as well as find a few 0day race conditions that I was unaware of. I now instinctively run tmpsnarl on all systems I have shells on and the results are amusing. Give it a spin, and shoot any feedback or discovered vulnerabilities back my way.

Temporary files -- yer doin it wrong.