Home page logo
/

bugtraq logo Bugtraq mailing list archives

[ZH2005-16SA] Insecure temporary file creation in Skype for Linux
From: badpenguin () zone-h org
Date: 16 Jul 2005 09:23:03 -0000

[ZH2005-16SA] Insecure temporary file creation in Skype for Linux


Application: Skype for Linux
Version affected: <= 1.1.0.20
Vendor website : http://www.skype.com


Author: Giovanni Delvecchio
e-mail: badpenguin at zone-h.org



About Skype
==========
Skype is a free program that uses the latest P2P technology to bring affordable and high-quality voice communications 
to people all over the 
world. It also provides a service of Instant Messaging.



Details
======
Each user has his own profile which can be personalized with a picture. When a user adds a picture for his profile, 
Skype creates in /tmp directory a file named "skype_profile.jpg" in an insecure manner, without checking if the file 
already exists and if it's a symbolic link.

-----------------------------------------------------------------------------------------------------------------------------------------
bad () badpenguin:~/skype-1.1.0.20$ strace -e trace=open skype
.
.
open("/home/bad/image.jpg", O_RDONLY|O_LARGEFILE) = 21 // picture chosen by user
open("/tmp/skype_profile.jpg", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 23 // insecure temporary file creation (it 
should use O_EXCL or O_NOFOLLOW flag)
.
.
------------------------------------------------------------------------------------------------------------------------------------------


This could represent a security problem in a multi-user environment because usually /tmp directory is "world-writable".
Indeed, such problem could be exploited by a malicious local user via symlink attack to overwrite arbitrary files with 
the privileges of the user that running Skype.


Example:

ln -s file_to_overwrite /tmp/skype_profile.jpg

When the user will add a picture for his profile , the file symlinked by attacker will be overwritten with the file 
content that the user has chosen 
to update his profile.

In certain conditions a privilege escalation is possible.
An example of privilege escalation exploiting this type of vulnerability is the following:

from http://www.securityfocus.com/archive/82/327361/2003-06-29/2003-07-05/0 :

"Starting release 9, Red Hat ships and uses pam_timestamp_check.so module (accompanied by /sbin/pam_timestamp_check 
setuid helper), a part of the new pam-0.75 (Pluggable Authentication Modules) package. PAM is a generic centralized 
authentication and session management component that is also shipped by an increasing number of other distributions, so 
it is reasonable that the code is about to propagate to other distros.
The module mentioned implements a credential caching functionality, very closely inspired on a tty ticketing system 
used in sudo.
The way the module works(and sudo), in essence, is that it gets current pseudo-terminal name A, current user name B, 
and the user for which
credentials are cached, C (usually root for Red Hat applications, user himself for sudo). Then the code checks for 
/var/run/sudo/B/A:C (or
/var/run/sudo/B/A if B == C), and if the file is recent (regardless of its content), the module returns success, and 
enables the user to skip the usual password authentication.

Since there's no check for file origin, it should be more than obvious that suddenly, any insecure file creation 
problem in an application used by a 
superuser,it is possible to spoof a ticket in /var/run and bypass root password prompt and other checks, and perform 
administrative tasks, easily 
modifying system config, installing custom components (say, a rootshell), etc. All this by
crafting a single symlink that is later opened with O_CREAT with no O_EXCL or O_NOFOLLOW.


Example:
----------------------------------------------------------------------------------------
#!/bin/sh

#get current terminal number from /dev/pts/xx
terminal_number=`tty | cut -f4 -d '/'`

user_ticket=$USER/$terminal_number:root
ln -s /var/run/sudo/$user_ticket /tmp/skype_profile.jpg
---------------------------------------------------------------------------------------------



Solution
========
No fix available at the moment;
Grant only trusted users writing access to /tmp directory .



Timeline
========
07 April 2005 - bug dicovered

08 April 2005 - Skype contacted by security at skype.net

14 April 2005 - 1th Response from Skype:
"Thank you for the email, we will pass it on to our developers.
Regards,
Andres"

25 May 2005 - Skype for Linux version 1.1.0.13 released, the problem is present again.

27 May 2005 - Skype re-contacted by security at skype.net

27 May 2005 - 2th Response from Skype:
"Giovanni, Thank you for the email again. I've spoken to our Linux developers and they assure me this will be fixed in 
the next version and 
they are considering posting an immediate advisory.
Again, your help is appreciated.
Regards,
Andres"

5 July 2005 - Skype for Linux version 1.1.0.20 released, but the bug hasn't been fixed.

15 July 205 - Public advisory



Author's Note
=============
Although this type of vulnerability isn't a problem for a single desktop user, instead it could represent a problem in 
a multi user environment.
For example, Skype is used by many companies with some hundred of employees, and in such environment several users have 
access on an host, locally or remotely . Any user,even with low privileges, could exploit this type vulnerabily to 
overwrite or create arbitrary files with the privileges of 
the user that running Skype, and in certain case conduct a privilege escalation.
A study made by CERT (Computer Emergency Response Team) called ITS (Insider Thread Study) shows like many times the 
incidents in companies are pepetrated by insider (eg. current or former employees ).
So, i think that in these conditions this bug may represent a security problem , and Skype should fix it quickly.



Reference
=========
http://www.zone-h.org/advisories/read/id=7808


  By Date           By Thread  

Current thread:
  • [ZH2005-16SA] Insecure temporary file creation in Skype for Linux badpenguin (Jul 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]