Bug#840685: marked as done (TOCTOU race condition in initscript on chown'ing JVM_TMP temporary directory)

2016-11-23 Thread Debian Bug Tracking System 
Your message dated Wed, 23 Nov 2016 19:32:10 +
with message-id 
and subject line Bug#840685: fixed in tomcat8 8.0.14-1+deb8u4
has caused the Debian Bug report #840685,
regarding TOCTOU race condition in initscript on chown'ing JVM_TMP temporary 
directory
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
840685: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840685
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: tomcat8
Version: 8.0.14-1+deb8u3
Severity: critical
Tags: security
Justification: root security hole


[ I contacted t...@security.debian.org about this, but no response ... ]

Recently DSA-3670 was released, and /etc/init.d/tomcat8 modified so:

...
NAME=tomcat8
...
JVM_TMP=/tmp/tomcat8-$NAME-tmp
...
# Remove / recreate JVM_TMP directory
rm -rf "$JVM_TMP"
mkdir -p "$JVM_TMP" || {
log_failure_msg "could not create JVM temporary 
directory"
exit 1
}
chown $TOMCAT8_USER "$JVM_TMP"
...

That suffers from a TOCTOU race condition.

An attacker can, after the "rm -rf", create a symlink to /etc. Then
"mkdir -p" returns success (though does nothing); and chown follows
the symlink. That is "game over": ability to replace /etc/passwd.

The attacker can use inotify and act quickly, and have a good chance
of winning the race to create the symlink before the init.d script
starts a new mkdir process.

Do you need some working PoC code?

---

The script should be made more robust by using "chown -h". (This would
protect against the above attack.)

The script should use plain mkdir without "-p": not needed as we create
a single directory, and should not be used to let mkdir return failure.
(This may make it safe.)

Cheers, Paul

Paul Szabo   p...@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of SydneyAustralia



-- System Information:
Debian Release: 8.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (x86_64)

Kernel: Linux 3.16.36-pk07.24-amd64 (SMP w/2 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages tomcat8 depends on:
ii  adduser3.113+nmu3
ii  debconf [debconf-2.0]  1.5.56
ii  tomcat8-common 8.0.14-1+deb8u3
ii  ucf3.0030

Versions of packages tomcat8 recommends:
pn  authbind  

Versions of packages tomcat8 suggests:
pn  libtcnative-1 
pn  tomcat8-admin 
pn  tomcat8-docs  
pn  tomcat8-examples  
pn  tomcat8-user  

-- Configuration Files:
/etc/init.d/tomcat8 changed [not included]
/etc/tomcat8/catalina.properties [Errno 13] Permission denied: 
u'/etc/tomcat8/catalina.properties'
/etc/tomcat8/context.xml [Errno 13] Permission denied: 
u'/etc/tomcat8/context.xml'
/etc/tomcat8/logging.properties [Errno 13] Permission denied: 
u'/etc/tomcat8/logging.properties'
/etc/tomcat8/policy.d/01system.policy [Errno 13] Permission denied: 
u'/etc/tomcat8/policy.d/01system.policy'
/etc/tomcat8/policy.d/02debian.policy [Errno 13] Permission denied: 
u'/etc/tomcat8/policy.d/02debian.policy'
/etc/tomcat8/policy.d/03catalina.policy [Errno 13] Permission denied: 
u'/etc/tomcat8/policy.d/03catalina.policy'
/etc/tomcat8/policy.d/04webapps.policy [Errno 13] Permission denied: 
u'/etc/tomcat8/policy.d/04webapps.policy'
/etc/tomcat8/policy.d/50local.policy [Errno 13] Permission denied: 
u'/etc/tomcat8/policy.d/50local.policy'
/etc/tomcat8/server.xml [Errno 13] Permission denied: u'/etc/tomcat8/server.xml'
/etc/tomcat8/tomcat-users.xml [Errno 13] Permission denied: 
u'/etc/tomcat8/tomcat-users.xml'
/etc/tomcat8/web.xml [Errno 13] Permission denied: u'/etc/tomcat8/web.xml'

-- debconf information excluded
--- End Message ---
--- Begin Message ---
Source: tomcat8
Source-Version: 8.0.14-1+deb8u4

We believe that the bug you reported is fixed in the latest version of
tomcat8, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 840...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg  (supplier of updated tomcat8 package)

(This message was generated automatically at their request; if you

Bug#840685: marked as done (TOCTOU race condition in initscript on chown'ing JVM_TMP temporary directory)

2016-10-19 Thread Debian Bug Tracking System 
Your message dated Wed, 19 Oct 2016 10:40:37 +
with message-id 
and subject line Bug#840685: fixed in tomcat8 8.0.38-1
has caused the Debian Bug report #840685,
regarding TOCTOU race condition in initscript on chown'ing JVM_TMP temporary 
directory
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
840685: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840685
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: tomcat8
Version: 8.0.14-1+deb8u3
Severity: critical
Tags: security
Justification: root security hole


[ I contacted t...@security.debian.org about this, but no response ... ]

Recently DSA-3670 was released, and /etc/init.d/tomcat8 modified so:

...
NAME=tomcat8
...
JVM_TMP=/tmp/tomcat8-$NAME-tmp
...
# Remove / recreate JVM_TMP directory
rm -rf "$JVM_TMP"
mkdir -p "$JVM_TMP" || {
log_failure_msg "could not create JVM temporary 
directory"
exit 1
}
chown $TOMCAT8_USER "$JVM_TMP"
...

That suffers from a TOCTOU race condition.

An attacker can, after the "rm -rf", create a symlink to /etc. Then
"mkdir -p" returns success (though does nothing); and chown follows
the symlink. That is "game over": ability to replace /etc/passwd.

The attacker can use inotify and act quickly, and have a good chance
of winning the race to create the symlink before the init.d script
starts a new mkdir process.

Do you need some working PoC code?

---

The script should be made more robust by using "chown -h". (This would
protect against the above attack.)

The script should use plain mkdir without "-p": not needed as we create
a single directory, and should not be used to let mkdir return failure.
(This may make it safe.)

Cheers, Paul

Paul Szabo   p...@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of SydneyAustralia



-- System Information:
Debian Release: 8.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (x86_64)

Kernel: Linux 3.16.36-pk07.24-amd64 (SMP w/2 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages tomcat8 depends on:
ii  adduser3.113+nmu3
ii  debconf [debconf-2.0]  1.5.56
ii  tomcat8-common 8.0.14-1+deb8u3
ii  ucf3.0030

Versions of packages tomcat8 recommends:
pn  authbind  

Versions of packages tomcat8 suggests:
pn  libtcnative-1 
pn  tomcat8-admin 
pn  tomcat8-docs  
pn  tomcat8-examples  
pn  tomcat8-user  

-- Configuration Files:
/etc/init.d/tomcat8 changed [not included]
/etc/tomcat8/catalina.properties [Errno 13] Permission denied: 
u'/etc/tomcat8/catalina.properties'
/etc/tomcat8/context.xml [Errno 13] Permission denied: 
u'/etc/tomcat8/context.xml'
/etc/tomcat8/logging.properties [Errno 13] Permission denied: 
u'/etc/tomcat8/logging.properties'
/etc/tomcat8/policy.d/01system.policy [Errno 13] Permission denied: 
u'/etc/tomcat8/policy.d/01system.policy'
/etc/tomcat8/policy.d/02debian.policy [Errno 13] Permission denied: 
u'/etc/tomcat8/policy.d/02debian.policy'
/etc/tomcat8/policy.d/03catalina.policy [Errno 13] Permission denied: 
u'/etc/tomcat8/policy.d/03catalina.policy'
/etc/tomcat8/policy.d/04webapps.policy [Errno 13] Permission denied: 
u'/etc/tomcat8/policy.d/04webapps.policy'
/etc/tomcat8/policy.d/50local.policy [Errno 13] Permission denied: 
u'/etc/tomcat8/policy.d/50local.policy'
/etc/tomcat8/server.xml [Errno 13] Permission denied: u'/etc/tomcat8/server.xml'
/etc/tomcat8/tomcat-users.xml [Errno 13] Permission denied: 
u'/etc/tomcat8/tomcat-users.xml'
/etc/tomcat8/web.xml [Errno 13] Permission denied: u'/etc/tomcat8/web.xml'

-- debconf information excluded
--- End Message ---
--- Begin Message ---
Source: tomcat8
Source-Version: 8.0.38-1

We believe that the bug you reported is fixed in the latest version of
tomcat8, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 840...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg  (supplier of updated tomcat8 package)

(This message was generated automatically at their request; if you
believe that