Jarno Huuskonen wrote:
> After that I looked at the tripwire sources and confirmed the problem.
> (See e.g. core/archive.cpp, core/unix/unixfsservices.cpp and
> tw/textreportviewer.cpp).
If you noticed a few more lines down the file get's removed.
-> TSTRING& cUnixFSServices::MakeTempFilename( TSTRING& strName ) const
throw(eFSServices)
-> {
-> ...
-> // create temp filename
-> pchTempFileName = mktemp( szTemplate );
-> ...
-> strName = pchTempFileName;
-> ...
->
-> // Linux creates the file!! Doh!
-> // So I'll always attempt to delete it -bam
-> FileDelete( strName );
->
-> return( strName );
-> }
So it's going to be a really tight race since the file would have to be
created just after FileDelete is called.
-> void cLockedTemporaryFileArchive::OpenReadWrite( const TCHAR*
filename, uint32 openFlags )
-> {
-> ...
-> // if filename is NULL, create a temp file for the caller
-> if( filename == NULL )
-> {
-> try
-> {
-> iFSServices::GetInstance()->GetTempDirName( strTempFile
);
-> strTempFile += _T("twtempXXXXXX");
-> iFSServices::GetInstance()->MakeTempFilename( strTempFile
);
-> ...
-> // open file
-> mCurrentFilename = filename ? filename : strTempFile.c_str();
-> mCurrentFile.Open( mCurrentFilename, flags );
-> ...
-> }
I've been trying to think of a way to exploit this. The only way I could
foresee was if you could run an exploit as a cron timed with a tripwire
cron run as root and the exploit would create a lot of symlinks right
before tripwire runs which could allow creation of files as root but if
the file get's removed then really what you'd need is a way to watch all
the symlinks you've created and the instant one is removed create it
again (run on sentence;). Any ideas?
The patch should be to use mkstemp() if the OS is Linux.
Best Regards,
Charles Stevenson
