Concerning a possible race condition in the 'inn' package

Russ Allbery rra at stanford.edu
Thu Sep 1 20:35:18 UTC 2005


Ben Schwarz <bschwarz at EECS.berkeley.EDU> writes:

> The specific type of bug which we have found is a time-of-check to
> time-of-use vulnerability. These often occur when two system calls are
> performed that re-use the same literal pathname. For instance, an
> example of a vulnerability would be a setuid program that checks if a
> user has access to view a file (e.g., through the access() system call),
> and then opens the file (e.g., with open() ) if the user was deemed
> privileged. The problem is that this sequence of operations is not
> atomic, and access privileges could be changed between the two system
> calls.

[...]

> URL with program traces for this package:
> https://taverner.cs.berkeley.edu/traces/race/inn-2.3.4-2/HTMLtrace/

> Programs with bugs:
> fastrm (fastrm.c line 442)

fastrm is not designed or intended for use with world-writable file
systems.  It is designed for cleaning out the INN news spool.  If an
attacker has access to modify the directory hierarchy, they already have
the same privileges as fastrm and can unlink whatever files they wish
themselves.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the inn-bugs mailing list