Download File System Security: Mounting, Symlinks, and File Handling in UNIX and Windows and more Study notes History of Education in PDF only on Docsity!
Week 12: File System Issues
Pascal Meunier, Ph.D., M.Sc., CISSP April 4 , 2007 Developed thanks to the support of Symantec Corporation, NSF SFS Capacity Building Program (Award Number 0113725) and the Purdue e-Enterprise Center Copyright (2007) Purdue Research Foundation. All rights reserved.
File System Vulnerabilities
Most common attack vectors:
- Symlink attacks (234 in April 2004 , 479 on 4/4/07)
- Directory traversal attacks (252 in 2004, 1107 on 4/4/07) Other attack vectors:
- Information leakage Recycled disk space and buffers File descriptors
- Insecure file permissions (configuration issue)
- File system "mounting" issues (administration issue)
Mounting File Systems
External or removable disks and remote file systems may contain malicious programs
- The attacker decided which would have the setuid or setguid bit set Some file systems can be mounted with a "nosuid" option
- Safer if you don't trust setuid or setgid programs on that file system -- the setuid and setgid bits are ignored
- Can be bypassed by "helpful" executables in your OS suidperl allows setuid execution of scripts on filesystems even mounted with the nosuid option! Other option: "noexec"
- Binaries can't be executed
Mounting File Systems with Symlinks
Symlinks may point to unexpected locations
- sshfs: symlinks are not followed by default follow_symlinks option must be specified transform_symlinks option translates absolute paths in the remote filesystem into relative ones that work in the mounted environment
- mount: adfs has options for handling symlinks (Acorn) nothing for ext2, ext3, ...
Additional Reference
http://www2.educ.umu.se/~bjorn/linux/howto/NFS- HOWTO-6.html
Windows Example
Recursive deletion utility: "rd" Scenario:
- Attacker makes a link from c:\temp\tempdir to c:\windows\system32 or any other sensitive directory
- Administrator does "rd /s c:\temp"
- Sensitive directory is erased! (Example from Howard and Leblanc 2003) Note: Unlike the Windows "rd" utility, the UNIX command "rm – rf" does not traverse symlinked directories when deleting
- But what happens when you do “rm – rf” on a Windows directory junction from within a Cygwin shell?
Other Example: XFree86 startx
CVE-1999-0433 Symlink vulnerability Xfree86 runs as root, creates a temporary file What will this do?
- ln -s /dev/hd0 /tmp/.tX0-lock
- startx Note: /dev/hd0 refers to a hard disk
Answer
XFree86 will write its temporary file to the raw device, messing up the file system...
Exercise
Examine the installer script named "find_java.sh"
- Location provided by instructor What does it do?
- What should the variable $jvm contain? What is the source of its value?
- What should the variable $VAR contain? What is the source of its value? Which program does the script really run?
- How can this be exploited?
Exercise Answers
The script executes a program named "java" Through links, another program may be invoked, masquerading as the real java
- This program could check if it has root privileges and do nasty things when it does During the install or later Pass control to the real java when done, so as not to raise suspicions
Problem
What happens between the attribute check, and the subsequent actions on the file?
- The function call acts upon a name, not a handle! Similar problem for UNIX
Creating Files in Windows
Calling "CreateFile" with the
- "CREATE_NEW" flag will create a file, and fail if it exists Good for file locks But where did you just create it? - In /tmp/adir/? » What if adir was replaced with a directory junction?
- "OPEN_EXISTING" flag will open an existing file, and fail if the file doesn't exist But which file did you really open? Other users can create (given permissions)
- Directory junctions
- Hard links
- And now symbolic links (old applications may be insecure when running on Vista)
Windows: Changing Attributes
The call uses a file name, which may point to something unexpected through directory junctions or hard links BOOL SetFileAttributes( LPCTSTR lpFileName, DWORD dwFileAttributes ); lpFileName is a path
Windows: Deleting a File
BOOL DeleteFile( LPCTSTR lpFileName ); Argument is a path Will delete a hard link and not the file pointed to
- Good May delete something unexpected by following directory junctions
- Bad, but note that there are legitimate uses for junctions Make sure that there are no unexpected directory junctions in the path
- How do you do that? (see next slides!)