Opened 10 years ago

Closed 10 years ago

#2320 closed defect (fixed)

merkaartor: minor symlink attack

Reported by: bernd@… Owned by: Chris Browet
Priority: critical Milestone:
Component: merkaartor Version:
Keywords: Cc:

Description

[Forwarded from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=548546]

Found a minor symlink attack in merkaartor. It allows a local attacker to append the contents of the merkaartor log file to arbitrary files owned by the user running merkaartor.

It may be used to DoS any applications that require their data files to be valid before starting.

While no data loss is immediately obvious, it is possible that corrupting files by appending data could lead other software to destroy the newly corrupted data. An example of this could be bash. A merkaartor log file can be fairly long if the user has enabled map tile downloads and browses a large area and lots of tiles over one map editing session. Merkaartor would append many lines to the user's bash history and next time they start bash, their bash history could be larger than bash's history limit settings, then bash would take the latest lines (all merkaartor logs) and discard the legitimate bash history.

Steps to reproduce:

pabs@chianamo:~/tmp$ sudo rm -f /tmp/merkaartor.log /home/pabs/tmp/foo.log
pabs@chianamo:~/tmp$ sudo su -c 'ln -s /home/pabs/tmp/foo.log /tmp/merkaartor.log' nobody
pabs@chianamo:~/tmp$ ls -l /home/pabs/tmp/foo.log /tmp/merkaartor.log
ls: cannot access /home/pabs/tmp/foo.log: No such file or directory
lrwxrwxrwx 1 nobody nogroup 22 2009-09-27 11:49 /tmp/merkaartor.log -> /home/pabs/tmp/foo.log
pabs@chianamo:~/tmp$ merkaartor
****  "2009-09-27T11:49:39"  -- Starting  "Merkaartor 0.14" 
------- "using QT version 4.5.2 (built with 4.5.2)" 
------- on X11 
****  "2009-09-27T11:49:42"  -- Ending  "Merkaartor 0.14" 
pabs@chianamo:~/tmp$ ls -l /home/pabs/tmp/foo.log /tmp/merkaartor.log
-rw-r----- 1 pabs   pabs    189 2009-09-27 11:49 /home/pabs/tmp/foo.log
lrwxrwxrwx 1 nobody nogroup  22 2009-09-27 11:49 /tmp/merkaartor.log -> /home/pabs/tmp/foo.log
pabs@chianamo:~/tmp$ cat /home/pabs/tmp/foo.log
****  "2009-09-27T11:49:39"  -- Starting  "Merkaartor 0.14" 
------- "using QT version 4.5.2 (built with 4.5.2)" 
------- on X11 
****  "2009-09-27T11:49:42"  -- Ending  "Merkaartor 0.14" 
pabs@chianamo:~/tmp$ echo test > foo.log
pabs@chianamo:~/tmp$ cat /home/pabs/tmp/foo.log
test
pabs@chianamo:~/tmp$ merkaartor
****  "2009-09-27T11:50:20"  -- Starting  "Merkaartor 0.14" 
------- "using QT version 4.5.2 (built with 4.5.2)" 
------- on X11 
****  "2009-09-27T11:50:24"  -- Ending  "Merkaartor 0.14" 
pabs@chianamo:~/tmp$ cat /home/pabs/tmp/foo.log
test
****  "2009-09-27T11:50:20"  -- Starting  "Merkaartor 0.14" 
------- "using QT version 4.5.2 (built with 4.5.2)" 
------- on X11 
****  "2009-09-27T11:50:24"  -- Ending  "Merkaartor 0.14" 
pabs@chianamo:~/tmp$ ls -l /home/pabs/tmp/foo.log /tmp/merkaartor.log
-rw-r----- 1 pabs   pabs    194 2009-09-27 11:50 /home/pabs/tmp/foo.log
lrwxrwxrwx 1 nobody nogroup  22 2009-09-27 11:49 /tmp/merkaartor.log -> /home/pabs/tmp/foo.log


Change History (3)

comment:1 Changed 10 years ago by Chris Browet

Owner: changed from cbro@… to Chris Browet
Status: newassigned

I don't see an obvious "fix" for this....

What am I suppose to do to be "secure"? Disable the logging by default, maybe?

comment:2 Changed 10 years ago by bernd@…

There are two ways to avoid such bugs:

  • If you write files into public temp directories, make sure the name is not

guessable - use mkstemp for example.

  • Put files into a directory which is accessible by the user only.

Another idea would be to allow the user to enable logging and let him choose the place where the log should go to. Then it is not the software's fault, if the user has issues with such attacks.

comment:3 Changed 10 years ago by Chris Browet

Resolution: fixed
Status: assignedclosed

Solved by allowing the user to specify the log name and by disabling it by default on release build

Note: See TracTickets for help on using tickets.