Skip to content
This repository has been archived by the owner on Jul 24, 2021. It is now read-only.

merkaartor: minor symlink attack #2320

Closed
openstreetmap-trac opened this issue Jul 23, 2021 · 3 comments
Closed

merkaartor: minor symlink attack #2320

openstreetmap-trac opened this issue Jul 23, 2021 · 3 comments

Comments

@openstreetmap-trac
Copy link

Reporter: bernd[at]bzed.de
[Submitted to the original trac issue database at 7.04am, Sunday, 27th September 2009]

[Forwarded from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=548546]

Found a minor symlink attack in merkaartor. It allows a local attacker
to append the contents of the merkaartor log file to arbitrary files
owned by the user running merkaartor.

It may be used to DoS any applications that require their data files to
be valid before starting.

While no data loss is immediately obvious, it is possible that
corrupting files by appending data could lead other software to destroy
the newly corrupted data. An example of this could be bash. A merkaartor
log file can be fairly long if the user has enabled map tile downloads
and browses a large area and lots of tiles over one map editing session.
Merkaartor would append many lines to the user's bash history and next
time they start bash, their bash history could be larger than bash's
history limit settings, then bash would take the latest lines (all
merkaartor logs) and discard the legitimate bash history.

Steps to reproduce:

pabs@chianamo:~/tmp$ sudo rm -f /tmp/merkaartor.log /home/pabs/tmp/foo.log
pabs@chianamo:~/tmp$ sudo su -c 'ln -s /home/pabs/tmp/foo.log /tmp/merkaartor.log' nobody
pabs@chianamo:~/tmp$ ls -l /home/pabs/tmp/foo.log /tmp/merkaartor.log
ls: cannot access /home/pabs/tmp/foo.log: No such file or directory
lrwxrwxrwx 1 nobody nogroup 22 2009-09-27 11:49 /tmp/merkaartor.log -> /home/pabs/tmp/foo.log
pabs@chianamo:~/tmp$ merkaartor
****  "2009-09-27T11:49:39"  -- Starting  "Merkaartor 0.14" 
------- "using QT version 4.5.2 (built with 4.5.2)" 
------- on X11 
****  "2009-09-27T11:49:42"  -- Ending  "Merkaartor 0.14" 
pabs@chianamo:~/tmp$ ls -l /home/pabs/tmp/foo.log /tmp/merkaartor.log
-rw-r----- 1 pabs   pabs    189 2009-09-27 11:49 /home/pabs/tmp/foo.log
lrwxrwxrwx 1 nobody nogroup  22 2009-09-27 11:49 /tmp/merkaartor.log -> /home/pabs/tmp/foo.log
pabs@chianamo:~/tmp$ cat /home/pabs/tmp/foo.log
****  "2009-09-27T11:49:39"  -- Starting  "Merkaartor 0.14" 
------- "using QT version 4.5.2 (built with 4.5.2)" 
------- on X11 
****  "2009-09-27T11:49:42"  -- Ending  "Merkaartor 0.14" 
pabs@chianamo:~/tmp$ echo test > foo.log
pabs@chianamo:~/tmp$ cat /home/pabs/tmp/foo.log
test
pabs@chianamo:~/tmp$ merkaartor
****  "2009-09-27T11:50:20"  -- Starting  "Merkaartor 0.14" 
------- "using QT version 4.5.2 (built with 4.5.2)" 
------- on X11 
****  "2009-09-27T11:50:24"  -- Ending  "Merkaartor 0.14" 
pabs@chianamo:~/tmp$ cat /home/pabs/tmp/foo.log
test
****  "2009-09-27T11:50:20"  -- Starting  "Merkaartor 0.14" 
------- "using QT version 4.5.2 (built with 4.5.2)" 
------- on X11 
****  "2009-09-27T11:50:24"  -- Ending  "Merkaartor 0.14" 
pabs@chianamo:~/tmp$ ls -l /home/pabs/tmp/foo.log /tmp/merkaartor.log
-rw-r----- 1 pabs   pabs    194 2009-09-27 11:50 /home/pabs/tmp/foo.log
lrwxrwxrwx 1 nobody nogroup  22 2009-09-27 11:49 /tmp/merkaartor.log -> /home/pabs/tmp/foo.log


@openstreetmap-trac
Copy link
Author

Author: Koying
[Added to the original trac issue at 8.53am, Tuesday, 29th September 2009]

I don't see an obvious "fix" for this....

What am I suppose to do to be "secure"? Disable the logging by default, maybe?

@openstreetmap-trac
Copy link
Author

Author: bernd[at]bzed.de
[Added to the original trac issue at 10.48am, Tuesday, 29th September 2009]

There are two ways to avoid such bugs:

  • If you write files into public temp directories, make sure the name is not
    guessable - use mkstemp for example.
  • Put files into a directory which is accessible by the user only.

Another idea would be to allow the user to enable logging and let him choose the
place where the log should go to. Then it is not the software's fault, if the
user has issues with such attacks.

@openstreetmap-trac
Copy link
Author

Author: Koying
[Added to the original trac issue at 1.35am, Monday, 4th January 2010]

Solved by allowing the user to specify the log name and by disabling it by default on release build

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

1 participant