-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Time-of-Check-Time-of-Use File Race in AFFLIB Release Date: 2007-04-27 Application: AFFLIB(TM) Versions: 2.2.0-2.2.8 and likely earlier versions. Severity: Low Author: Timothy D. Morgan Vendor Status: Vendor Notified CVE Candidate: CVE-2007-2056 Reference: http://www.vsecurity.com/bulletins/advisories/2007/afflib-toctou.txt - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description: > From the forensicswiki.org website[1]: "The Advanced Forensics Format (AFF) is an extensible open format for the storage of disk images and related forensic metadata. It was developed by Simson Garfinkel and Basis Technology." AFFLIB(TM) is the reference implementation of the AFF(TM) format, written primarily by Simson Garfinkel. It comes in the form of an open source library and a set of command line tools used to manipulate AFF(TM) files. Vulnerability Overview: In mid-March, 2007 Virtual Security Research, LLC (VSR) performed a security code review of AFFLIB(TM) as a part of an internal tool assessment process. As a result, multiple vulnerabilities of varying severities were discovered. The most significant of these vulnerabilities are being announced publicly to raise awareness and help end-users secure themselves against potential attack. A time-of-check-time-of-use race was discovered in AFFLIB(TM) which could allow an attacker on the local machine to overwrite an arbitrary file. Because the content of the file would not be controllable by an attacker, it is unlikely that this is vulnerability is exploitable for more than a denial-of-service. This vulnerability remains in the latest version (2.2.8) despite several notifications to the vendor. All line numbers listed below are from version 2.2.0. Vulnerability Details: File: aimage/aimage.cpp Lines: 554-575 Platforms Affected: Unix Description: A mostly predictable name for the lockfile as it is created under /tmp. An access check is first performed, and later the file is opened, truncating if it already exists. Since the time of check and time of use are not the same, a filesystem race could be exploited by a local attacker through the use of a symlink. Lines 548-582 are included below to illustrate the problem: int getlock(class imager *im) { /* If the file exists and the PID in the file is running, * can't get the lock. */ char lockfile[MAXPATHLEN]; sprintf(lockfile,"/tmp/aimge.%s.lock",im->infile); if(access(lockfile,F_OK)==0){ /* Lockfile exists. Get it's pid */ char buf[1024]; FILE *f = fopen(lockfile,"r"); if(!f){ perror(lockfile); // can't read lockfile... return -1; } fgets(buf,sizeof(buf),f); buf[sizeof(buf)-1] = 0; int pid = atoi(buf); if(checkpid(pid)==0){ /* PID is not running; we can delete the lockfile */ if(unlink(lockfile)){ err(1,"could not delete lockfile %s: ",lockfile); } } /* PID is running; generate error */ errx(1,"%s is locked by process %d\n",im->infile,pid); } FILE *f = fopen(lockfile,"w"); if(!f){ err(1,lockfile); } fprintf(f,"%d\n",getpid()); // save our PID. fclose(f); return 0; } This is likely only exploitable for a denial-of-service condition, since the attacker would have little control over the content being written (the process ID of aimage). Vendor Response: Simson Garfinkel was first contacted on 2007-03-31. The following timeline outlines the responses from the vendor regarding this issue: 2007-04-01 - Vendor provided details of all vulnerabilities identified. 2007-04-03 - Continued vendor communication. 2007-04-05 - Vendor released version 2.2.6, containing multiple security fixes. 2007-04-06 - Vendor notified VSR that fixes were released. 2007-04-09 - VSR notified vendor that 9 vulnerability instances still remained in latest release. 2007-04-12 - Vendor confirmed that remaining vulnerabilities would be fixed in next release. 2007-04-25 - Vendor released versions 2.2.7 and 2.2.8. Vendor did not notify VSR. 2007-04-27 - VSR discovered new versions were released. VSR inspected version 2.2.8 and found that no additional vulnerabilities were fixed. VSR advisories published. Recommendation: AFFLIB(TM) users should upgrade to the newest version. Third-party projects which rely on AFFLIB(TM) should encourage users to upgrade, and/or incorporate fixes into their distribution of the library. The update is available via: http://www.afflib.org/downloads/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following name to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CVE-2007-2056 - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- References: 1. AFF - Forensics Wiki http://www.forensicswiki.org/wiki/AFF - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This advisory is distributed for educational purposes only, and comes with absolutely NO WARRANTY; not even the implied warranty of merchantability or fitness for a particular purpose. Virtual Security Research, LLC nor the author accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Vulnerability Disclosure Policy: http://www.vsecurity.com/disclosurepolicy.html - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- AFF(TM) and AFFLIB(TM) are trademarks of Simson Garfinkel and Basis Technology Corp. Included source code excerpts are copyright Simson Garfinkel and Basis Technology Corp. This advisory is copyright (C) 2007 Virtual Security Research, LLC. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGMjYCQ1RSUNR+T+gRAllIAJ0S6OYM4G21h2+bFx0SIt7v7BcyHACePvdt 0uH9FaFNgU1bpi0dh7XYkEs= =7bd7 -----END PGP SIGNATURE-----