Sometimes reading code makes you scream.

Friday, 30 May 2014

So I've recently been looking at proxy-server source code, for obvious reasons. The starting point was a simple search of the available options:

~$ apt-cache search proxy filter
trafficserver - fast, scalable and extensible HTTP/1.1 compliant caching proxy server
ssh-agent-filter - filtering proxy for ssh-agent

Hrm? trafficserver? That sounds like fun. Lets look at the source.

cd /tmp
apt-get source trafficserver

Lots of code, but scanning it quickly with my favourite tool, grep, we find this "gem":

$ rgrep /tmp .
./mgmt/tools/  tmp = fopen("/tmp/shadow", "w");
./mgmt/tools/    system("/bin/mv -f /tmp/shadow /etc/shadow");

Is that really what it looks like? Really? Sadly yes.

There's lots of abuse of /tmpfiles in the code in mgmt/tools/, and although the modular structure took a while to understand the code that is compiled here ultimately ends up being included in /usr/bin/traffic_shell. That means it is a "real" security issue, allowing race-tastic local-attackers to do bad things.

Bug reported as #749846.

In happier news, the desk I was building is now complete. Pretty.


I feel like I should write about auditing software, but equally I feel unqualified - better people than me have already done so, e.g. David Wheeler.

Also I've done it before, and nobody paid attention. (Or rather the poeple that should consider security frequently fail to do so, which is .. frustrating.)



Comments On This Entry

[gravitar] Steven C.

Submitted at 00:14:56 on 31 may 2014

Wow, it's really epidemic, although mostly in build systems and testsuites:*%3E+%3F%2Ftmp

You've persuaded me we really need something like this per default:

and that we'll need to implement it on kfreebsd too.

[gravitar] Steven C.

Submitted at 01:05:42 on 31 may 2014

And these might be good for a review by a seasoned C coder:

[gravitar] Stephen

Submitted at 02:01:42 on 31 may 2014

Why is a web cache proxy even touching /etc/shadow directly?

[author] Steve Kemp

Submitted at 07:17:46 on 31 may 2014

The code in that directory makes up a little static library, and that shadow-touching code is used to get/set the root password hash. Why that would be done? Who knows.

(Actually I think it isn't used, but the code for dumping the default route, etc, is..)


Comments are closed on posts which are more than ten days old.

Recent Posts

Recent Tags