alpine 3.7
tmpfile weakness #38

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

ckermit/src/ckufio.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.7 tmpfile weakness.

     if (logged_in)
      logwtmp(cksysline, "", "");
#endif /* CKWTMP */
    pw = NULL;
    logged_in = 0;
    guest = 0;
    isguest = 0;
}

#ifdef FTP_KERBEROS
kpass(name, p) char *name, *p; {
    char instance[INST_SZ];
    char realm[REALM_SZ];
    char tkt_file[20];
    KTEXT_ST ticket;
    AUTH_DAT authdata;
    unsigned long faddr;
    struct hostent *hp;

    if (krb_get_lrealm(realm, 1) != KSUCCESS)
      return(0);

    ckstrncpy(tkt_file, TKT_ROOT, 20);
    ckstrncat(tkt_file, "_ftpdXXXXXX", 20);
    krb_set_tkt_string(mktemp(tkt_file));

    (VOID) ckstrncpy(instance, krb_get_phost(hostname), sizeof(instance));

    if ((hp = gethostbyname(instance)) == NULL)
      return(0);

#ifdef HADDRLIST
    hp = ck_copyhostent(hp);		/* safe copy that won't change */
#endif /* HADDRLIST */
    bcopy((char *)hp->h_addr, (char *) &faddr, sizeof(faddr));

    if (krb_get_pw_in_tkt(name, "", realm, "krbtgt", realm, 1, p) ||
        krb_mk_req(&ticket, "rcmd", instance, realm, 33) ||
        krb_rd_req(&ticket, "rcmd", instance, faddr, &authdata, "") ||
        kuserok(&authdata, name)) {
        dest_tkt();
        return(0);
    }
    dest_tkt();
    return(1);
}
#endif /* FTP_KERBEROS */

VOID
zsyslog() { 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.