File System Security: Mounting, Symlinks, and File Handling in UNIX and Windows, Study notes of History of Education

The security risks associated with mounting file systems, symlinks, and file handling in unix and windows. It covers topics such as setuid and setguid bits, nfs, xfree86, creating files, opening files, and deleting files. The document also provides recommendations for securing directories and handling symlinks.

Typology: Study notes

Pre 2010

Uploaded on 07/30/2009

koofers-user-cwf
koofers-user-cwf 🇺🇸

9 documents

1 / 47

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Week 12: File System Issues
Pascal Meunier, Ph.D., M.Sc., CISSP
April 4, 2007
Developed thanks to the support of Symantec Corporation,
NSF SFS Capacity Building Program (Award Number 0113725)
and the Purdue e-Enterprise Center
Copyright (2007) Purdue Research Foundation. All rights reserved.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f

Partial preview of the text

Download File System Security: Mounting, Symlinks, and File Handling in UNIX and Windows and more Study notes History of Education in PDF only on Docsity!

Week 12: File System Issues

Pascal Meunier, Ph.D., M.Sc., CISSP April 4 , 2007 Developed thanks to the support of Symantec Corporation, NSF SFS Capacity Building Program (Award Number 0113725) and the Purdue e-Enterprise Center Copyright (2007) Purdue Research Foundation. All rights reserved.

File System Vulnerabilities

 Most common attack vectors:

  • Symlink attacks (234 in April 2004 , 479 on 4/4/07)
  • Directory traversal attacks (252 in 2004, 1107 on 4/4/07)  Other attack vectors:
  • Information leakage  Recycled disk space and buffers  File descriptors
  • Insecure file permissions (configuration issue)
  • File system "mounting" issues (administration issue)

Mounting File Systems

 External or removable disks and remote file systems may contain malicious programs

  • The attacker decided which would have the setuid or setguid bit set  Some file systems can be mounted with a "nosuid" option
  • Safer if you don't trust setuid or setgid programs on that file system -- the setuid and setgid bits are ignored
  • Can be bypassed by "helpful" executables in your OS  suidperl allows setuid execution of scripts on filesystems even mounted with the nosuid option!  Other option: "noexec"
  • Binaries can't be executed

Mounting File Systems with Symlinks

 Symlinks may point to unexpected locations

  • sshfs: symlinks are not followed by default  follow_symlinks option must be specified  transform_symlinks option translates absolute paths in the remote filesystem into relative ones that work in the mounted environment
  • mount: adfs has options for handling symlinks (Acorn)  nothing for ext2, ext3, ...

Additional Reference

 http://www2.educ.umu.se/~bjorn/linux/howto/NFS- HOWTO-6.html

Windows Example

 Recursive deletion utility: "rd"  Scenario:

  • Attacker makes a link from c:\temp\tempdir to c:\windows\system32 or any other sensitive directory
  • Administrator does "rd /s c:\temp"
  • Sensitive directory is erased!  (Example from Howard and Leblanc 2003)  Note: Unlike the Windows "rd" utility, the UNIX command "rm – rf" does not traverse symlinked directories when deleting
  • But what happens when you do “rm – rf” on a Windows directory junction from within a Cygwin shell?

Other Example: XFree86 startx

 CVE-1999-0433 Symlink vulnerability  Xfree86 runs as root, creates a temporary file  What will this do?

  • ln -s /dev/hd0 /tmp/.tX0-lock
  • startx  Note: /dev/hd0 refers to a hard disk

Answer

 XFree86 will write its temporary file to the raw device, messing up the file system...

Exercise

 Examine the installer script named "find_java.sh"

  • Location provided by instructor  What does it do?
  • What should the variable $jvm contain?  What is the source of its value?
  • What should the variable $VAR contain?  What is the source of its value?  Which program does the script really run?
  • How can this be exploited?

Exercise Answers

 The script executes a program named "java"  Through links, another program may be invoked, masquerading as the real java

  • This program could check if it has root privileges and do nasty things when it does  During the install or later  Pass control to the real java when done, so as not to raise suspicions

Problem

 What happens between the attribute check, and the subsequent actions on the file?

  • The function call acts upon a name, not a handle!  Similar problem for UNIX

Creating Files in Windows

 Calling "CreateFile" with the

  • "CREATE_NEW" flag will create a file, and fail if it exists  Good for file locks  But where did you just create it? - In /tmp/adir/? » What if adir was replaced with a directory junction?
  • "OPEN_EXISTING" flag will open an existing file, and fail if the file doesn't exist  But which file did you really open?  Other users can create (given permissions)
  • Directory junctions
  • Hard links
  • And now symbolic links (old applications may be insecure when running on Vista)

Windows: Changing Attributes

 The call uses a file name, which may point to something unexpected through directory junctions or hard links  BOOL SetFileAttributes( LPCTSTR lpFileName, DWORD dwFileAttributes );  lpFileName is a path

Windows: Deleting a File

 BOOL DeleteFile( LPCTSTR lpFileName );  Argument is a path  Will delete a hard link and not the file pointed to

  • Good  May delete something unexpected by following directory junctions
  • Bad, but note that there are legitimate uses for junctions  Make sure that there are no unexpected directory junctions in the path
  • How do you do that? (see next slides!)