Utmpname
Vulnerable to TOCTOU issues
Sean Barnum, Cigital, Inc. [vita]
Copyright © 2007 Cigital, Inc.
2007-04-23
Original Cigital Coding Rule in XML: download (text/xml, 8.0 kB)
Attack Category |
|
||||||||||||||||||||||||
Vulnerability Category |
|
||||||||||||||||||||||||
Software Context |
|
||||||||||||||||||||||||
Location | |||||||||||||||||||||||||
Description |
The utmp file keeps track of users who are currently logged in and from where. It has a specific format which contains many utmp structures. The utmpx file is an extension of the original utmp file with it's own extended format. utmpname() and utmpxname() specify the location of each of the respective files. "utmpname()" will be used to refer both functions throughout this document. Any setuid program that runs this as root or as any user with authorization to modify the location of this file must take special precaution. |
||||||||||||||||||||||||
APIs |
|
||||||||||||||||||||||||
Method of Attack |
The key issue with respect to TOCTOU vulnerabilities is that programs make assumptions about atomicity of actions. It is assumed that checking the state or identity of a targeted resource followed by an action on that resource is all one action. In reality, there is a period of time between the check and the use that allows either an attacker to intentionally or another interleaved process or thread to unintentionally change the state of the targeted resource and yield unexpected and undesired results. If an attacker can specify the filename used in utmpname() , he or she could append (and create if non-existent) any file with the permissions of the setuid user. An attacker could also have the utmp data destroyed by specifying that the file should be written to /dev/null. If a program uses a hard-coded absolute file-path or a relative file-path to a directory that an attacker controls, he or she could create a symbolic link with that same path to a file they wish to append. Thus they could append, say /etc/passwd with utmp-format data. Finally, since this program is being run with elevated privleges, an attacker could leverage other insecurities in the program. |
||||||||||||||||||||||||
Exception Criteria |
utmpname() can be used safely if the attacker cannot specify or affect the filename and they don't have control over any absolute file-path that may be specified in the program. |
||||||||||||||||||||||||
Solutions |
|
||||||||||||||||||||||||
Signature Details |
void utmpname(const char *file); |
||||||||||||||||||||||||
Examples of Incorrect Code |
|
||||||||||||||||||||||||
Examples of Corrected Code |
|
||||||||||||||||||||||||
Source References | |||||||||||||||||||||||||
Recommended Resources | |||||||||||||||||||||||||
Discriminant Set |
|
Cigital, Inc. Copyright
Copyright © Cigital, Inc. 2005-2007. Cigital retains copyrights to this material.
Permission to reproduce this document and to prepare derivative works from this document for internal use is granted, provided the copyright and “No Warranty” statements are included with all reproductions and derivative works.
For information regarding external or commercial use of copyrighted materials owned by Cigital, including information about “Fair Use,” contact Cigital at copyright@cigital.com.
The Build Security In (BSI) portal is sponsored by the U.S. Department of Homeland Security (DHS), National Cyber Security Division. The Software Engineering Institute (SEI) develops and operates BSI. DHS funding supports the publishing of all site content.