Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things
 
PerlMonks  

Re: Re^2: Dangerous diamonds! (races)

by sauoq (Abbot)
on May 22, 2003 at 02:22 UTC ( #259964=note: print w/ replies, xml ) Need Help??


in reply to Re^2: Dangerous diamonds! (races)
in thread Dangerous diamonds!

Classic security exploits often involve race conditions:

How do you suppose user blackhat will manage to predict 1) that a root user will be using pgrep in a blackhat writable directory and 2) exactly when he should create his evil file?

Yes, exploiting race conditions is a classic attack strategy... against processes that run with elevated privileges and which are in some way predictable. Generally, they involve doing something repeatedly in a tight loop, like creating a symlink for instance. Attempting to use this strategy against a human being does not pose a realistic threat.

But mostly I still consider it a very poor tool that will leak file name contents into the execution stream.

I agree that it's a misfeature. This one issue isn't enough to make me call perl² a "poor tool" though.

That something as simple as using "pgrep" as root on files whose names you don't control can run arbitrary code (as root) is a serious security risk that could easily result in security being breached somewhere.

It's true that there is a security risk present here, but that risk is really very small. There aren't even simple criteria by which to determine if any particular system has a security vulnerability due to this behavior. Building on your example, even if pgrep is installed it may be that the root user only uses it responsibly or not at all.

But the huge number of implausible ways that are so easy to come up with convince me that this is a real risk; that someone will figure out a plausible way to use this to "break in" somewhere.

Even if someone figures out how to use this behavior to "'break in' somewhere', their attack will be specific to the system they are violating. If someone were able to write an exploit based on it that would affect any significant number of machines, the chances are that it would already have been done² a dozen times over and they'd all be available on every script-kiddy site on the web. If, on the other hand, a widely distributed perl script is found to misuse two-argument open(), then CERT should issue an advisory or at least a vulnerability note about the guilty script. In fact, there are several of those already. (e.g. VU#453475, VU#181907, VU#671444, etc.)

It is a larger security hole than many items that have been the subject of CERT advisories.

I respectfully disagree. Most CERT advisories address specific vulnerabilities which have well-defined exploits. There have, however, been a few general advisories such as CA-1997-25: Sanitizing User-Supplied Data in CGI Scripts which address a whole class of vulnerabilities. By the way, that one mentions Perl; it says,

"The cause of the problem is not the CGI scripting language (such as Perl and C). Rather, the problem lies in how an individual writes his or her script. In many cases, the author of the script has not sufficiently sanitized user-supplied input."
Let's face it though, the threat of an authorized user gaining elevated privileges on a system by seeding a directory with poisoned filenames is not nearly the same risk posed by a web user being able to gain unauthorized access to a system by feeding a CGI script a poisoned query.

I'll say again that I do think there needs to be a change. But let's keep a realistic view of the security implications. There is no cause for a panic inducing advisory. In fact, there is nothing here that should prevent a slow graceful transition from the current default behavior to something sane. That seems to be the direction things are already going. At least we have the 3-arg open() now. I advocate educating people and I agree that there hasn't been enough of that. I'll try to do my part from here on out.


[1] Nor, for that matter would I call the -p or -n switches or the diamond operator "poor tools." They are just tools that require a little more caution... like a band saw or a blow torch.

[2] This "feature" is not new; in fact, it's old. The problem is with two-argument open() not just that perl uses it with <>, -p, and such. Chip wrote about it here in Two-arg open() considered dangerous a year and a half ago. The 3-arg form was only introduced about a year and a half prior to that, iirc, when 5.6 came out. From perl56delta: "This is primarily useful for protecting against unintended magic behavior of the traditional two-argument form."

-sauoq
"My two cents aren't worth a dime.";


Comment on Re: Re^2: Dangerous diamonds! (races)
Re^4: Dangerous diamonds! (races)
by tye (Cardinal) on May 22, 2003 at 06:31 UTC

    Let me preface this by saying that most of this isn't very important. Most is arguing fine lines and grey areas and so it isn't anything for anyone to get upset about. I wanted to try to clarify a bit. Skip to the last two paragraphs if you are somehow reading this but don't care about minor details. (:

    How do you suppose user blackhat will manage to predict

    As I said, I don't have a plausible exploit handy. It was a 15-second demonstration of the race condition. Maybe he does something so low-tech as to peek over the cubicle wall.

    But I still consider "check what files are there before you use 'perl -ne ... *' as root" to be pretty poor advice. Just don't use 'perl -ne ... *' as root until the problem is fixed (and check that root isn't using any Perl tools that use <> somewhere inside).

    I can imagine the poor slob fixing his cron job to check for bad file names before running pgrep (as opposed to filtering out bad file names before feeding the filenames to pgrep or just fixing pgrep).

    I never said "Perl is a poor tool". I suppose I could have been more precise and said something awkward like... well, something awkward. If you read "it will be sad day when" and think, "Well, nothing happy will happen the entire day of when that happens"? I consider the feature of executing filenames to be a pathetic feature. But big adjectives don't make for eloquent speech.

    I guess you are right. I'm saying "CERT advisory" when I'm thinking of a broader concept that includes things like "SANS security alert".

    There is no cause for a panic inducing advisory.

    I really think "Don't use 'perl -ne ... *' as root" needs to be announced on several security alert streams. I don't think such needs to induce panic. I think it would be somewhat hard to word it so poorly that it would induce panic. *shrug*

    The problem is with two-argument open() not just that perl uses it with <>, -p, and such

    2-argument open just doesn't bother me near as much. I like to write open FH, "< $file\0" and have been doing that since Perl 4. That is every bit as safe as 3-argument open (if I am to believe the Perl 4 manuals) or the older sysopen. Sure, you can misuse 2-argument open and, as an interface design it affords such misuse and so isn't a great interface design. But I think <> goes a step beyond affording misuse, it makes it trivial to misuse and dang hard to use safely and the unsafe usage doesn't seem useful to me (as open says, the magic nature can be useful by making it easy for users to tell you to get your input from a command instead of a file).

    But none of this is that important.

    a slow graceful transition from the current default behavior to something sane. That seems to be the direction things are already going.

    I hope so. I don't see that yet.

                    - tye
      I never said "Perl is a poor tool". I suppose I could have been more precise and said something awkward

      I realized what you intended to say after I responded to it. That's why I added the footnote. You stated it well enough; the confusion was mine. I'm sorry I didn't take the time to reword my response there.

      I consider the feature of executing filenames to be a pathetic feature.

      I do agree. I just don't think that the implications are all that serious in reality. From a theoretical standpoint, it's friggin' terrible. But once you take into account how systems are really used, the impact is minimal because it is so impractical to exploit.

      I don't think such needs to induce panic.

      I guess big nouns don't always make for eloquent speech either. Like I said, I do advocate education. I'd prefer a "using perl -ne as root has some security implications you should be aware of" to an absolutist "don't do it" approach though.

      2-argument open just doesn't bother me near as much.

      Really? Now see, that one bothers me a lot more. And for a very simple reason: it has resulted in many more actual serious security vulnerabilities. In theory, it might be less egregious but in practice it has been improperly used by scads of casual programmers who have unwittingly written innumerable remote exploits. And they continue to do so. That's a problem that won't go away until two-argument open does (or is fixed.)

      -sauoq
      "My two cents aren't worth a dime.";
      
        scads of casual programmers who have unwittingly written innumerable remote exploits

        Very good point.

        Part of why <> upsets me more is that the fix is obvious to me and I'm galled by people claiming that it isn't a problem and can't be fixed. My preference would be to immediately change the default behavior under the theory that it fixes more (by far) existing code than it breaks.

        I also see real usefulness in the magical, 2-argument open. Which makes it harder for me to see how to fix the problems with it. And I try not to get upset over complex problems that I don't see clear, non-trade-off solutions for. There are just way too many of those in the world and I prefer not to spend so much of my time being upset.

        But I can certainly appreciate where you are coming from now. (:

                        - tye

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://259964]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others cooling their heels in the Monastery: (8)
As of 2014-08-27 12:38 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The best computer themed movie is:











    Results (238 votes), past polls