Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Mathematica8.0.4 on Linux /tmp/MathLink vulnerability
From: paul.szabo () sydney edu au
Date: Tue, 17 Apr 2012 06:51:20 +1000

Dear Vikram,

Mathematica on Linux uses the /tmp/MathLink directory in insecure ways.
Mathematica creates or re-uses an existing /tmp/MathLink directory, and
overwrites files within and follows symlinks. ...

One quick fix here could be to change user permissions with chmod or
add a new group where Mathematica in /tmp doesn't have permissions to
anything under /home so then even if a user is compromised, the
symlink won't work because the user doesn't have permissions. A root
user here is an entirely different problem, here an attacker can
symlink to any directory. So a new group to setup permissions for
Mathemtica /tmp access would be a better idea. Will look into a patch
soon.

My ideas for a fix, so far:

It is tempting to add O_NOFOLLOW to the relevant open() calls, maybe by
changing the string "open" to something else:
  perl -i.bak -pe 's/open/PSzO/g' SystemFiles/Libraries/Linux*/libML*.so
and LD_PRELOAD a library built from something like
  #include <sys/types.h>
  #include <sys/stat.h>
  #include <fcntl.h>
  int PSzO(const char *pathname, int flags, mode_t mode)
  {
    return open(pathname, flags|O_NOFOLLOW, mode);
  }
but that would not work: I believe those files in /tmp/MathLink allow
other processes to send commands to the running Mathematica session,
possibly including shell escapes.

The fix might be to make the directory in /tmp private to the user,
naming it /tmp/MathLink-$USER and checking it has right owner and
"chmod 0700" permissions. That fix will need to be implemented by
Wolfram.

Cheers, Paul

Paul Szabo   psz () maths usyd edu au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault