About Archive Tags RSS Feed

 

Sometimes reading code makes you scream.

30 May 2014 21:50

So I've recently been looking at proxy-server source code, for obvious reasons. The starting point was a simple search of the available options:

~$ apt-cache search proxy filter
...
trafficserver - fast, scalable and extensible HTTP/1.1 compliant caching proxy server
ssh-agent-filter - filtering proxy for ssh-agent

Hrm? trafficserver? That sounds like fun. Lets look at the source.

cd /tmp
apt-get source trafficserver

Lots of code, but scanning it quickly with my favourite tool, grep, we find this "gem":

$ rgrep /tmp .
./mgmt/tools/SysAPI.cc:  tmp = fopen("/tmp/shadow", "w");
./mgmt/tools/SysAPI.cc:    system("/bin/mv -f /tmp/shadow /etc/shadow");

Is that really what it looks like? Really? Sadly yes.

There's lots of abuse of /tmpfiles in the code in mgmt/tools/, and although the modular structure took a while to understand the code that is compiled here ultimately ends up being included in /usr/bin/traffic_shell. That means it is a "real" security issue, allowing race-tastic local-attackers to do bad things.

Bug reported as #749846.

In happier news, the desk I was building is now complete. Pretty.

 

I feel like I should write about auditing software, but equally I feel unqualified - better people than me have already done so, e.g. David Wheeler.

Also I've done it before, and nobody paid attention. (Or rather the poeple that should consider security frequently fail to do so, which is .. frustrating.)

| 4 comments

 

Comments on this entry

icon Steven C. at 00:14 on 31 May 2014

Wow, it's really epidemic, although mostly in build systems and testsuites:
http://codesearch.debian.net/search?q=mv+/tmp
http://codesearch.debian.net/search?q=sort.*%3E+%3F%2Ftmp

You've persuaded me we really need something like this per default:
http://www.openwall.com/lists/kernel-hardening/2012/07/26/2

and that we'll need to implement it on kfreebsd too.

icon Steven C. at 01:05 on 31 May 2014

And these might be good for a review by a seasoned C coder:
http://codesearch.debian.net/search?q=package%3Atrafficserver+coverity

icon Stephen at 02:01 on 31 May 2014

Why is a web cache proxy even touching /etc/shadow directly?

icon Steve Kemp at 07:17 on 31 May 2014
http://steve.org.uk/.

The code in that directory makes up a little static library, and that shadow-touching code is used to get/set the root password hash. Why that would be done? Who knows.

(Actually I think it isn't used, but the code for dumping the default route, etc, is..)