Short Summary - ------------- GNU Parallel can be tricked into overwriting a file owned by the user running GNU Parallel.
Published: 2015-04-22 Remote: No Local: Yes Ease: No exploits available - requires precise timing Impact - ------ An local attacker can exploit this issue to overwrite a file with a one byte file. Technical Description - --------------------- The vulnerability lies in GNU Parallel's way of creating temporary files while at the same time trying to remove these ASAP so if GNU Parallel is stopped there will be no temporary files to clean up. So far this has been done by creating a temporary file and removing it immediately. For some task the file will be recreated and removed at a later stage. It is this last part that makes GNU Parallel vulnerable: If an attacker sees the temporary file being created, and then removed, he has 15 ms to create a symlink with the same name to a file owned by the user. And if the file is then being recreated this will overwrite the user's file. GNU Parallel is vulnerable when using --pipe, --tmux, --cat, --fifo, or --compress. The problem has been fixed for most situations, but it still exists for: --tmux if run locally, and --cat, --fifo if run remotely using --sshlogin. For remote situations the time window is longer than 15 ms: The attacker will be able to see the ssh command being sent on the client, and will then be able to create the file on the server while the ssh connection is being established. Solutions - --------- Upgrading to 20150422 will fix most situations. For the remaining situations there are the following work-arounds. Any of these will protect against the attack: * Let --tmpdir/$TMPDIR point to a dir that is only writable by the user * Do not use --tmux * Do not use --cat or --fifo when also using --sshlogin * Do not use system shared with attackers If an upgrade is impossible any of these work-arounds will guard against an attack: * Let --tmpdir/$TMPDIR point to a dir that is only writable by the user * Do not use --tmux * Do not use --cat or --fifo or --pipe or --compress * Do not use system shared with attackers Vulnerable Systems - ------------------ Any system running GNU Parallel 20101222 <= version < 20150422 is vulnerable.
