Bug#651931: bokken: vulnerable to symlink attack, leading to arbitrary file overwrite

Paul Wise Tue, 13 Dec 2011 03:07:15 -0800

Package: bokken
Version: 1.5-2
Severity: important
Tags: security

An attacker on a multi-user system can overwrite an arbitrary file owned
by the user running bokken by creating a symlink named /tmp/graph.dot:


pabs@chianamo ~ $ ls -l foo /tmp/graph.dot 
ls: cannot access foo: No such file or directory
lrwxrwxrwx 1 nobody nogroup 14 Dec 13 18:56 /tmp/graph.dot -> /home/pabs/foo
pabs@chianamo ~ $ bokken /bin/ls
        Python version...       OK
Checking:
        Pyew availability...    D'oh!
You need pyew in order to use pyew backend in binaries and PDFs. Download it 
from its web:
    - http://code.google.com/p/pyew/

        Radare availability...  OK
        GTK UI dependencies...  OK
        GtkSourceView2...       OK
        Psyco availability...   D'oh!
No psyco module found. It's recomended to use it to improve performance

        Tidy availability...    OK
Starting bokken, running on:
  Python version:
    2.7.2+ (default, Oct  5 2011, 10:41:47) 
    [GCC 4.6.1]
  GTK version: 2.24.8
  PyGTK version: 2.24.0

/tmp/graph.dot created
Traceback (most recent call last):
  File "/usr/share/pyshared/bokken/ui/rightnotebook.py", line 149, in on_switch
    self.xdot_box.set_dot(self.uicore.get_callgraph(self.last_fcn))
  File "/usr/share/pyshared/bokken/ui/radare_core.py", line 397, in 
get_callgraph
    os.unlink(file)
OSError: [Errno 1] Operation not permitted: '/tmp/graph.dot'
[*] Get text dasm
        * Let's get the dasm for .init...  OK!
/tmp/graph.dot created
        * Let's get the dasm for .plt...  OK!
        * Let's get the dasm for .text...  OK!
        * Let's get the dasm for .fini...  OK!
DEBUG: DASM finished, reading from queue!
Process state True
DEBUG: Got a disassembly of 951575 bytes.
DEBUG: Section lines created [12, 689, 19271, 8, 19980]
/tmp/graph.dot created
Traceback (most recent call last):
  File "/usr/share/pyshared/bokken/ui/main.py", line 309, in 
merge_dasm_rightextview
    self.tviews.update_graph(self, link_name)
  File "/usr/share/pyshared/bokken/ui/textviews.py", line 386, in update_graph
    self.right_notebook.xdot_box.set_dot(self.uicore.get_callgraph(addr))
  File "/usr/share/pyshared/bokken/ui/radare_core.py", line 397, in 
get_callgraph
    os.unlink(file)
OSError: [Errno 1] Operation not permitted: '/tmp/graph.dot'
/tmp/graph.dot created
Traceback (most recent call last):
  File "/usr/share/pyshared/bokken/ui/rightnotebook.py", line 149, in on_switch
    self.xdot_box.set_dot(self.uicore.get_callgraph(self.last_fcn))
  File "/usr/share/pyshared/bokken/ui/radare_core.py", line 397, in 
get_callgraph
    os.unlink(file)
OSError: [Errno 1] Operation not permitted: '/tmp/graph.dot'
pabs@chianamo ~ $ ls -l foo /tmp/graph.dot 
-rw-r----- 1 pabs   pabs    664 Dec 13 18:57 foo
lrwxrwxrwx 1 nobody nogroup  14 Dec 13 18:56 /tmp/graph.dot -> /home/pabs/foo
pabs@chianamo ~ $ cat foo
digraph code {
        graph [bgcolor=white];
        node [color=lightgray, style=filled shape=box fontname="Courier" 
fontsize="8"];
 "0x004046d4_0x004046d4" [URL="entry0/0x004046d4" color="lightgray", label="/ 
function: entry0 (42)\l| 0x004046d4  entry0:\l| 0x004046d4   xor ebp, ebp\l| 
0x004046d6   mov r9, rdx\l| 0x004046d9   pop rsi\l| 0x004046da   mov rdx, 
rsp\l| 0x004046dd   and rsp, 0xfffffffffffffff0\l| 0x004046e1   push rax\l| 
0x004046e2   push rsp\l| 0x004046e3   mov r8, 0x412500\l| 0x004046ea   mov rcx, 
0x412510\l| 0x004046f1   mov rdi, section_end..plt\l| 0x004046f8   call dword 
imp.__libc_start_main\l|     ; imp.__libc_start_main()\l\ 0x004046fd   hlt\l"]
}
pabs@chianamo ~ $ bokken /bin/ls
        Python version...       OK
Checking:
        Pyew availability...    D'oh!
You need pyew in order to use pyew backend in binaries and PDFs. Download it 
from its web:
    - http://code.google.com/p/pyew/

        Radare availability...  OK
        GTK UI dependencies...  OK
        GtkSourceView2...       OK
        Psyco availability...   D'oh!
No psyco module found. It's recomended to use it to improve performance

        Tidy availability...    OK
Starting bokken, running on:
  Python version:
    2.7.2+ (default, Oct  5 2011, 10:41:47) 
    [GCC 4.6.1]
  GTK version: 2.24.8
  PyGTK version: 2.24.0

/tmp/graph.dot created
Traceback (most recent call last):
  File "/usr/share/pyshared/bokken/ui/rightnotebook.py", line 149, in on_switch
    self.xdot_box.set_dot(self.uicore.get_callgraph(self.last_fcn))
  File "/usr/share/pyshared/bokken/ui/radare_core.py", line 397, in 
get_callgraph
    os.unlink(file)
OSError: [Errno 1] Operation not permitted: '/tmp/graph.dot'
[*] Get text dasm
        * Let's get the dasm for .init...  OK!
/tmp/graph.dot created
        * Let's get the dasm for .plt...  OK!
        * Let's get the dasm for .text...  OK!
        * Let's get the dasm for .fini...  OK!
DEBUG: DASM finished, reading from queue!
Process state True
DEBUG: Got a disassembly of 951552 bytes.
DEBUG: Section lines created [12, 689, 19271, 8, 19980]
/tmp/graph.dot created
Traceback (most recent call last):
  File "/usr/share/pyshared/bokken/ui/rightnotebook.py", line 149, in on_switch
    self.xdot_box.set_dot(self.uicore.get_callgraph(self.last_fcn))
  File "/usr/share/pyshared/bokken/ui/radare_core.py", line 397, in 
get_callgraph
    os.unlink(file)
OSError: [Errno 1] Operation not permitted: '/tmp/graph.dot'
/tmp/graph.dot created
Traceback (most recent call last):
  File "/usr/share/pyshared/bokken/ui/main.py", line 309, in 
merge_dasm_rightextview
    self.tviews.update_graph(self, link_name)
  File "/usr/share/pyshared/bokken/ui/textviews.py", line 386, in update_graph
    self.right_notebook.xdot_box.set_dot(self.uicore.get_callgraph(addr))
  File "/usr/share/pyshared/bokken/ui/radare_core.py", line 397, in 
get_callgraph
    os.unlink(file)
OSError: [Errno 1] Operation not permitted: '/tmp/graph.dot'
pabs@chianamo ~ $ ls -l foo /tmp/graph.dot 
-rw-r----- 1 pabs   pabs    664 Dec 13 19:02 foo
lrwxrwxrwx 1 nobody nogroup  14 Dec 13 18:56 /tmp/graph.dot -> /home/pabs/foo
pabs@chianamo ~ $ cat foo
digraph code {
        graph [bgcolor=white];
        node [color=lightgray, style=filled shape=box fontname="Courier" 
fontsize="8"];
 "0x004046d4_0x004046d4" [URL="entry0/0x004046d4" color="lightgray", label="/ 
function: entry0 (42)\l| 0x004046d4  entry0:\l| 0x004046d4   xor ebp, ebp\l| 
0x004046d6   mov r9, rdx\l| 0x004046d9   pop rsi\l| 0x004046da   mov rdx, 
rsp\l| 0x004046dd   and rsp, 0xfffffffffffffff0\l| 0x004046e1   push rax\l| 
0x004046e2   push rsp\l| 0x004046e3   mov r8, 0x412500\l| 0x004046ea   mov rcx, 
0x412510\l| 0x004046f1   mov rdi, section_end..plt\l| 0x004046f8   call dword 
imp.__libc_start_main\l|     ; imp.__libc_start_main()\l\ 0x004046fd   hlt\l"]
}

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (700, 'testing'), (600, 'unstable'), (550, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages bokken depends on:
ii  python                 2.7.2-9 
ii  python-gtk2            2.24.0-2
ii  python-gtksourceview2  2.10.1-2
ii  python-radare2         0.9-1   
ii  python2.6              2.6.7-4 
ii  python2.7              2.7.2-7 

-- 
bye,
pabs

http://wiki.debian.org/PaulWise

signature.asc
Description: This is a digitally signed message part

Bug#651931: bokken: vulnerable to symlink attack, leading to arbitrary file overwrite

Reply via email to