subject:"Bug#651931\: bokken\: vulnerable to symlink attack, leading to arbitrary file overwrite"

Bug#651931: bokken: vulnerable to symlink attack, leading to arbitrary file overwrite

2011-12-13 Thread Paul Wise

Package: bokken
Version: 1.5-2
Severity: important
Tags: security

An attacker on a multi-user system can overwrite an arbitrary file owned
by the user running bokken by creating a symlink named /tmp/graph.dot:

pabs@chianamo ~ $ ls -l foo /tmp/graph.dot 
ls: cannot access foo: No such file or directory
lrwxrwxrwx 1 nobody nogroup 14 Dec 13 18:56 /tmp/graph.dot - /home/pabs/foo
pabs@chianamo ~ $ bokken /bin/ls
Python version...   OK
Checking:
Pyew availability...D'oh!
You need pyew in order to use pyew backend in binaries and PDFs. Download it 
from its web:
- http://code.google.com/p/pyew/

Radare availability...  OK
GTK UI dependencies...  OK
GtkSourceView2...   OK
Psyco availability...   D'oh!
No psyco module found. It's recomended to use it to improve performance

Tidy availability...OK
Starting bokken, running on:
  Python version:
2.7.2+ (default, Oct  5 2011, 10:41:47) 
[GCC 4.6.1]
  GTK version: 2.24.8
  PyGTK version: 2.24.0

/tmp/graph.dot created
Traceback (most recent call last):
  File /usr/share/pyshared/bokken/ui/rightnotebook.py, line 149, in on_switch
self.xdot_box.set_dot(self.uicore.get_callgraph(self.last_fcn))
  File /usr/share/pyshared/bokken/ui/radare_core.py, line 397, in 
get_callgraph
os.unlink(file)
OSError: [Errno 1] Operation not permitted: '/tmp/graph.dot'
[*] Get text dasm
* Let's get the dasm for .init...  OK!
/tmp/graph.dot created
* Let's get the dasm for .plt...  OK!
* Let's get the dasm for .text...  OK!
* Let's get the dasm for .fini...  OK!
DEBUG: DASM finished, reading from queue!
Process state True
DEBUG: Got a disassembly of 951575 bytes.
DEBUG: Section lines created [12, 689, 19271, 8, 19980]
/tmp/graph.dot created
Traceback (most recent call last):
  File /usr/share/pyshared/bokken/ui/main.py, line 309, in 
merge_dasm_rightextview
self.tviews.update_graph(self, link_name)
  File /usr/share/pyshared/bokken/ui/textviews.py, line 386, in update_graph
self.right_notebook.xdot_box.set_dot(self.uicore.get_callgraph(addr))
  File /usr/share/pyshared/bokken/ui/radare_core.py, line 397, in 
get_callgraph
os.unlink(file)
OSError: [Errno 1] Operation not permitted: '/tmp/graph.dot'
/tmp/graph.dot created
Traceback (most recent call last):
  File /usr/share/pyshared/bokken/ui/rightnotebook.py, line 149, in on_switch
self.xdot_box.set_dot(self.uicore.get_callgraph(self.last_fcn))
  File /usr/share/pyshared/bokken/ui/radare_core.py, line 397, in 
get_callgraph
os.unlink(file)
OSError: [Errno 1] Operation not permitted: '/tmp/graph.dot'
pabs@chianamo ~ $ ls -l foo /tmp/graph.dot 
-rw-r- 1 pabs   pabs664 Dec 13 18:57 foo
lrwxrwxrwx 1 nobody nogroup  14 Dec 13 18:56 /tmp/graph.dot - /home/pabs/foo
pabs@chianamo ~ $ cat foo
digraph code {
graph [bgcolor=white];
node [color=lightgray, style=filled shape=box fontname=Courier 
fontsize=8];
 0x004046d4_0x004046d4 [URL=entry0/0x004046d4 color=lightgray, label=/ 
function: entry0 (42)\l| 0x004046d4  entry0:\l| 0x004046d4   xor ebp, ebp\l| 
0x004046d6   mov r9, rdx\l| 0x004046d9   pop rsi\l| 0x004046da   mov rdx, 
rsp\l| 0x004046dd   and rsp, 0xfff0\l| 0x004046e1   push rax\l| 
0x004046e2   push rsp\l| 0x004046e3   mov r8, 0x412500\l| 0x004046ea   mov rcx, 
0x412510\l| 0x004046f1   mov rdi, section_end..plt\l| 0x004046f8   call dword 
imp.__libc_start_main\l| ; imp.__libc_start_main()\l\ 0x004046fd   hlt\l]
}
pabs@chianamo ~ $ bokken /bin/ls
Python version...   OK
Checking:
Pyew availability...D'oh!
You need pyew in order to use pyew backend in binaries and PDFs. Download it 
from its web:
- http://code.google.com/p/pyew/

Radare availability...  OK
GTK UI dependencies...  OK
GtkSourceView2...   OK
Psyco availability...   D'oh!
No psyco module found. It's recomended to use it to improve performance

Tidy availability...OK
Starting bokken, running on:
  Python version:
2.7.2+ (default, Oct  5 2011, 10:41:47) 
[GCC 4.6.1]
  GTK version: 2.24.8
  PyGTK version: 2.24.0

/tmp/graph.dot created
Traceback (most recent call last):
  File /usr/share/pyshared/bokken/ui/rightnotebook.py, line 149, in on_switch
self.xdot_box.set_dot(self.uicore.get_callgraph(self.last_fcn))
  File /usr/share/pyshared/bokken/ui/radare_core.py, line 397, in 
get_callgraph
os.unlink(file)
OSError: [Errno 1] Operation not permitted: '/tmp/graph.dot'
[*] Get text dasm
* Let's get the dasm for .init...  OK!
/tmp/graph.dot created
* Let's get the dasm for .plt...  OK!
* Let's get the dasm for .text...  OK!
* Let's get the dasm for .fini...  OK!
DEBUG: DASM finished, reading from queue!
Process state True
DEBUG: Got a disassembly of 951552 bytes.
DEBUG: Section lines created [12, 689, 19271, 8, 19980]
/tmp/graph.dot created
Traceback (most recent call last):
  File

Bug#651931: bokken: vulnerable to symlink attack, leading to arbitrary file overwrite

2011-12-13 Thread David Martínez Moreno

Acknowledged, I'm working on a fix.

Thanks,


Ender.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#651931: bokken: vulnerable to symlink attack, leading to arbitrary file overwrite

Bug#651931: bokken: vulnerable to symlink attack, leading to arbitrary file overwrite

2 matches

Site Navigation

Mail list logo

Footer information