Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: usb_modeswitch/pppd -detach
From: Valdis.Kletnieks () vt edu
Date: Mon, 23 Jan 2012 11:02:43 -0500

On Sun, 22 Jan 2012 02:38:57 GMT, "Larry W. Cashdollar" said:

This is still a race condition since the pid can be guessed easily as well.  It's better to use mktemp 
/tmp/debug.XXXXXXXXXX.

No, that's *still* beatable, because if you know what the PID will be you can
guess what the XXXX will be filled in with (it's basically just salted with the
contents of the target directory, so anybody who can do a readdir() and can
guess the pid can predict the value).  What you *want* to do is read the mktemp
documentation and find this example on how to put the file into a securely
created subdirectory rather than directly in /tmp:

   * Create a secure fifo relative to the user's choice of `TMPDIR',
     but falling back to the current directory rather than `/tmp'.
     Note that `mktemp' does not create fifos, but can create a secure
     directory in which the fifo can live.  Exit the shell if the
     directory or fifo could not be created.
          $ dir=$(mktemp -p "${TMPDIR:-.}" -d dir-XXXX) || exit 1
          $ fifo=$dir/fifo
          $ mkfifo "$fifo" || { rmdir "$dir"; exit 1; }

(The -d option creates a subdirectory.  Unlike open() or creat() of a normal
file, which will chase a symlink if it exists, the mkdir() system call will
fail with EEXIST if there's a symlink waiting there.  And once you have a mode
700 directory owned by yourself, it's kind of hard for the attacker to drop a
symlink into there behind your back).

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]