Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
MATLAB Unsafe Temporary Files Lets Local Users Overwrite Certain Files or Cause Target Users to Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1005852 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Dec 23 2002
|
Impact: Execution of arbitrary code via local system, Modification of user information
|
Vendor Confirmed: Yes
|
Description: A vulnerability was reported in MATLAB. A local user may be able to overwrite certain files on the system or cause other users to execute arbitrary code.
It is reported that 'matlab' scripts (on UNIX/Linux systems) use unsafe temporary files with predicatable file names. The scripts
use the following type of file name (with $$ representing the process ID [pid]):
/tmp/$$a
A local user can create a symbolic
link from this file to another file on the system. Then, when a target user invokes matlab, the linked file will be overwritten
(if the target user has write privileges for the linked file).
According to the report, the 'mex' script may use the /tmp/$$a
and /tmp/$$b files. It may execute any existing /tmp/$$a script. A local user can create a symbolic link from this file to another
file on the system. Then, when the target user invokes the script, the linked file will be executed with the privileges of the
target user.
|
Impact: A local user can cause a target user to overwrite files on the system or execute arbitrary code on the system (with the privileges of the target user).
|
Solution: No solution was available at the time of this entry. According to the report, the vendor is working on a fix for the next release of MATLAB R14.
An unofficial patch is provided in the Source Message.
|
Vendor URL: www.mathworks.com/products/ (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: Paul Szabo <psz@maths.usyd.edu.au>
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 23 Dec 2002 06:08:48 +1100
From: Paul Szabo <psz@maths.usyd.edu.au>
Subject: Matlab /tmp usage
|
INTRODUCTION
MATLAB is "The Language of Technical Computing"
http://www.mathworks.com/
PROBLEM
As installed on UNIX machines, matlab uses shell scripts to launch; these
scripts use files in /tmp in an unsafe way.
DETAILS
The matlab script uses /tmp/$$a and may clobber it, allowing an attacker
to "wipe out" any file belonging to the matlab user. Suppose the attacker
guesses what PID will be used next and creates a symlink with
ln -s ~victim/.profile /tmp/PIDa
then waits for the victim to run matlab: the victim's .profile gets
overwritten with garbage. (If root ever uses matlab then any file, e.g.
/etc/passwd, could similarly be trashed.)
It might be argued that it is hard to guess what PID will be used next.
It is easy enough to create a few thousand symlinks with likely PIDs; in
fact the attacker could create a symlink for every possible PID (as these
normally range from 0 to 32k or 64k).
The mex script may similarly clobber both /tmp/$$a and /tmp/$$b. Worse,
it sources (executes) any existing /tmp/$$a script, allowing an attacker
to execute any commands as the mex user. Proof-of-concept
(script-kiddie-safe) code:
echo 'echo You lose: rm -rf $HOME >> $HOME/.profile' > /tmp/evil
perl -e 'for (1..32000) { symlink "/tmp/$_a", "/tmp/evil" }'
then wait for any victim to use mex (if root ever uses mex then any
actions may be taken).
VENDOR COMMUNICATION
5 Dec 2002 MathWorks notified
10 Dec 2002 case ID is: 1034529
16 Dec 2002 engineers [will] try to validate
18 Dec 2002 working on a solution for the next release of MATLAB R14
18 Dec 2002 if you have a WORKING fix ... [recommend] comp.soft-sys.matlab
WORKAROUND/PATCH
I suggest you use something similar to the following patches. (Standard
textbook techniques: use a safe directory, and do not use files at all.)
*** matlab/6.5/bin/matlab.old Tue Sep 24 10:52:30 2002
--- matlab/6.5/bin/matlab Thu Dec 19 08:36:04 2002
***************
*** 137,145 ****
#
# Temporary file that hold MATLABPATH code from .matlab6rc.sh file.
#
! temp_file=/tmp/$$a
#
! trap "rm -f $temp_file; exit 1" 1 2 3 15
#
#========================= archlist.sh (start) ============================
#
--- 137,147 ----
#
# Temporary file that hold MATLABPATH code from .matlab6rc.sh file.
#
! temp_dir=/tmp/$$a
! temp_file=$temp_dir/a
! mkdir -m 700 $temp_dir || exit 1
#
! trap "rm -rf $temp_dir; exit 1" 1 2 3 15
#
#========================= archlist.sh (start) ============================
#
***************
*** 1790,1798 ****
echo '------------------------------------------------------------------------') >> $temp
_file
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
more $temp_file
! rm -f $temp_file
exit 0
fi
#
# Export the variables
#
--- 1792,1801 ----
echo '------------------------------------------------------------------------') >> $temp
_file
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
more $temp_file
! rm -rf $temp_dir
exit 0
fi
+ rm -rf $temp_dir
#
# Export the variables
#
*** matlab/6.5/bin/mex.old Tue Sep 24 10:52:30 2002
--- matlab/6.5/bin/mex Thu Dec 19 11:07:34 2002
***************
*** 1014,1021 ****
exit 1
fi
if [ "$verbose" = "1" ]; then
! temp_file=/tmp/$$b
! files_to_remove="$files_to_remove $temp_file"
. $MATLAB/bin/util/oscheck.sh
if [ "$oscheck_status" = "1" ]; then
cleanup
--- 1014,1023 ----
exit 1
fi
if [ "$verbose" = "1" ]; then
! temp_dir=/tmp/$$b
! temp_file=$temp_dir/b
! files_to_remove="$files_to_remove $temp_dir"
! mkdir -m 700 $temp_dir || exit 1
. $MATLAB/bin/util/oscheck.sh
if [ "$oscheck_status" = "1" ]; then
cleanup
***************
*** 1031,1038 ****
#
# Source the file of argument variables, name=[def]
#
! if [ -f /tmp/$$a ]; then
! . /tmp/$$a
fi
#
--- 1033,1043 ----
#
# Source the file of argument variables, name=[def]
#
! #if [ -f /tmp/$$a ]; then
! # . /tmp/$$a
! #fi
! if [ -n "$EVAL_ASSIGNS" ]; then
! eval "$EVAL_ASSIGNS"
fi
#
***************
*** 1505,1510 ****
--- 1510,1516 ----
ARCH=
Arch='Undetermined'
verbose=0
+ EVAL_ASSIGNS=
#
# Use a C entry point by default
#
***************
*** 1698,1705 ****
*[=\#]*)
lhs=`expr "$1" : '\([a-zA-Z0-9_]*\)[=\#].*'`
rhs=`expr "$1" : '[a-zA-Z0-9_]*[=\#]\(.*\)$'`
! echo $lhs='"'$rhs'"' >> /tmp/$$a
! files_to_remove="$files_to_remove /tmp/$$a"
;;
*.c) # c source file.
cfiles='1'
--- 1704,1712 ----
*[=\#]*)
lhs=`expr "$1" : '\([a-zA-Z0-9_]*\)[=\#].*'`
rhs=`expr "$1" : '[a-zA-Z0-9_]*[=\#]\(.*\)$'`
! #echo $lhs='"'$rhs'"' >> /tmp/$$a
! #files_to_remove="$files_to_remove /tmp/$$a"
! EVAL_ASSIGNS="$EVAL_ASSIGNS$lhs="'"'"$rhs"'";'
;;
*.c) # c source file.
cfiles='1'
SIGNATURE
Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
|
|
Go to the Top of This SecurityTracker Archive Page
|
