1

I was given an assignment for my Computer Security class. We we were given a piece of code to analyze and determine the vulnerabilities that it might have. 

#!/bin/sh
# shell script to create a copy of the shadow file to the /tmp directory

echo > /tmp/shadowcopy

# allow only root access
chmod 600 /tmp/shadowcopy

# append the original file to the copy
cat /etc/shadow >> /tmp/shadowcopy

# Hint: the access permissions of a file in linux are verified when the file is opened.
# the process will keep the original permissions as long as it keeps the file open, even
# if permissions change.

Some classmates and I determined that this script might suffer from race condition vulnerability if two separate process try to open the /tmp/shadowcopy.

We also think that command injection vulnerability could be possible if the /tmp/shadowcopy is changed before the append begins.

Are our assumptions about this shell script correct? or are we missing an important vulnerability that might be exploited if the script is used?

Shelvacu
  • 2,333
  • 4
  • 16
  • 29
Alan W
  • 13
  • 4

2 Answers2

3

The cat binary doesn't implant flock() calls using the LOCK_EX for exclusive write access so your assumption is correct.

You can verify that by following the system calls issues by that or any binary by running strace cat file.

A way to prevent the problem would be as follows:

#!/bin/bash

set -e

(
  flock -n 200

  echo > /tmp/shadowcopy

  chmod 600 /tmp/shadowcopy

  cat /etc/shadow >> /tmp/shadowcopy
) 200>/var/lock/.mylock

The permissions also can pose a race condition as someone can issue a tail -f /tmp/shadowcopy prior to your chmod command to gain access.

For further reading on best security practices regarding race conditions you should take a look at fnctl(), flock() & stat().

Or if someone else was on the device watching the buffer they could access the hashes as well, see https://gist.github.com/jas-/9534117.

It is proof of concept for scraping memory from a running process.

jas-
  • 931
  • 5
  • 9
  • Is there any way to prevent race condition from occurring? Could we possibly lock the file from being read by other processes? – Alan W May 13 '15 at 18:03
  • 1
    I don't see how cat is relevant here. And O_EXCL is an open(2) flag, unrlated to flock(). – Ángel May 13 '15 at 23:20
  • It is only relevant for the buffer and the redirect doesn't exclusively lock the file. Your right, I meant LOCK_EX. I have updated the answer, thanks. – jas- May 14 '15 at 01:57
  • how locking a completely different file can help in this case (in security point of view)? The spying process can just ignore this locking anyway. – goteguru Sep 18 '15 at 11:28
  • True, don't give them the tools (through the use of fs ACL's) to permit strace, truss, gdb or other memory scraping binaries. But that is beyond the scope of the question isn't it. – jas- Sep 19 '15 at 13:52
3

I agree that the execise is intended to detect the race condition, but as there's no error checking in place (just a set -e would work), there are more holes available:

As /tmp is a shared folder, I can create a /tmp/shadowcopy with mode 666 (so you can open and write it, but not chmod). If your script were run by a being member of shadow group (so /etc/shadow can be read without being root), you will end up with a perfectly readable by your user.

Also note that the race condition is infinitely long, as the attacker can create and open the file beforehand, it doesn't need to race between the echo and chmod.

If /tmp/shadowcopy was created as a symlink, you could create a file with an arbitrary name and contents of the shadow file (assuming the script is run by root). Mostly useful as a denial of service, eg. ln -s /tmp/shadow /boot/vmlinuz-3.16.0-4-amd64 would replace the kernel and thus make the machine unbootable.

Ángel
  • 17,578
  • 3
  • 25
  • 60
  • Can we call an 'infinite long race condition' a race condition? Where is the race? However, because there is no `chown` just `chmod` and the file got never deleted, the attacker simply creates /tmp/shadowcopy beforehand and that's all. He will be the owner forever. `chmod 600` wont help too much. – goteguru Sep 18 '15 at 11:19
  • _Can we call an 'infinite long race condition' a race condition?_ Not really, that's why I called it a “_race condition with no race_”. The point is that they intended it as a race condition. If instead of `/tmp` it was a world-readable folder, you would have to exploit the race condition. – Ángel Sep 18 '15 at 21:59