Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Wed, 14 May 2008 17:38:12 +0200
From: Nico Golde <oss-security+ml@...lde.de>
To: oss-security@...ts.openwall.com
Subject: vim $TMPDIR directory stat (was: Re: CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution)

Hi Tavis,
* Tavis Ormandy <taviso@....lonestar.org> [2008-05-14 17:03]:
> On Wed, May 14, 2008 at 04:03:34PM +0200, Sven Joachim wrote:
> > On 2008-05-14 15:27 +0200, Nico Golde wrote:
> > 
> > > As I am a vim user I might have done something wrong too, 
> > > not sure. What I did after installing emacs:
> 
> Same here, so out of curiosity i ran strace -efile -o log vim, and
> edited a few files. I observed vim looking for a directory called
> $TMPDIR in the wd, and using it as you would expect. Obviously a bug,
> and perhaps some minor security implications, anyone want to
> investigate? :-)

The reason is:
src/unix.h:
#  define TEMPDIRNAMES  "$TMPDIR", "/tmp", ".", "$HOME"

on startup vim then expands those paths and checks if the 
directory exists (that's where the stat comes from I think). 
If it exists it will use it as temporary directory to mkdir 
the temporary directory for vim files, v<somenumber>.

src/fileio.c:
   6811         for (i = 0; i < sizeof(tempdirs) / sizeof(char *); ++i)
   6812         {
   6813             /* expand $TMP, leave room for "/v1100000/999999999" */
   6814             expand_env((char_u *)tempdirs[i], itmp, TEMPNAMELEN - 20);
   6815             printf("expanded %s to %s\n", tempdirs[i], itmp);
   6816             if (mch_isdir(itmp))                /* directory exists */
   ....
   6843                     sprintf((char *)itmp + STRLEN(itmp), "v%ld", nr + off);
   6844 # ifndef EEXIST
   6845                     /* If mkdir() does not set errno to EEXIST, check for
   6846                      * existing file here.  There is a race condition then,
   6847                      * although it's fail-safe. */
   6848                     if (mch_stat((char *)itmp, &st) >= 0)
   6849                         continue;
   6850 # endif
   6851 #if defined(UNIX) || defined(VMS)
   6852                     /* Make sure the umask doesn't remove the executable bit.
   6853                      * "repl" has been reported to use "177". */
   6854                     umask_save = umask(077);
   6855 #endif
   6856                     r = vim_mkdir(itmp, 0700);


So it checks for $TMPDIR on your system because this 
environment variable is not set and therefore can't be expanded?!

You could redirect the temporary files of a user to a 
location the attacker and the victim has access to but vim 
still sets the correct permissions so this does not help the 
attacker. After a quick check this doesn't look like a 
security issue to me.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux