Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Midnight Commander /tmp race

From: lcamtuf () BOSS STASZIC WAW PL (Michal Zalewski)
Date: Sun, 15 Mar 1998 16:33:47 +0100

Midnight Commander (I have version 4.1.8, RedHat 5.0) is launched using
the following shell macro:

mc=()
{
    MC=/tmp/mc$$-"$RANDOM";
    /usr/bin/mc -P "$@" >"$MC";
    cd "`cat $MC`";
    rm "$MC";
    unset MC
}

Well, unfortunately it isn't secure. $$ is replaced with shell pid (not mc
pid!!!) - usually it's user's login shell pid, and may be obtained with
'ps au|grep "\-bash"'. $RANDOM, as everyone knows, generates pseudo-random
integer from range 0..32767. Well, 'random' number isn't very random,
but even without mathematical tricks we can guess it - when we create
eg. 1000 [sym]links (a few seconds), our chances are about 1/33, and
probably target file will be sooner or later overwritten with mc's last
working directory. With 10000 files (it will take maybe a half minute) -
our chances incerases to about 1/3, but it needs more disk activity and
may be detected...

Solution? Use mktemp: MC=`mktemp mc$$-XXXXXX` instead of $RANDOM :)))

_______________________________________________________________________
Michal Zalewski [tel 9690] | finger 4 PGP [lcamtuf () boss staszic waw pl]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deustch]
=--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=
Previous By Date Next
Previous By Thread Next

Current thread: