Vulnerability Note VU#349019

Tripwire vulnerable to arbitrary file overwriting via symlink redirection of temporary file

Original Release date: 15 Nov 2001 | Last revised: 15 Nov 2001

Overview

Tripwire is a file integrity verification utility for Unix and Linux operating systems. In some implementations, tripwire opens insecure temporary files with predictable names in publically-writable directories. Using a symbolic link attack, a local intruder may overwrite or create arbitrary files on machines running tripwire.

Description

Tripwire opens temporary files in /tmp using predictable names without first checking for prior existence or ownership of these files. The files are opened when building or updating tripwire's database of file checksums.

Impact

By creating symbolic links with appropriate names within a very tight time window, a local attacker may be able to redirect the data sent to the temporary file to arbitrary files on machines running tripwire. Since tripwire normally is executed by the system administrator, file protections will not apply. The file overwrite may result in disabling of system services, crashing the machine, or disabling of system protections.

Solution

Apply vendor patches; see the Systems Affected section below.

Clear /tmp prior to execution of tripwire.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
MandrakeSoftAffected09 Jul 200127 Sep 2001
sourceforgeAffected16 Jan 200127 Sep 2001
TripwireAffected09 Oct 200129 Oct 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was first discovered by Jamo Huuskonen.

This document was last modified by Tim Shimeall.

Other Information

  • CVE IDs: Unknown
  • Date Public: 09 Jul 2001
  • Date First Published: 15 Nov 2001
  • Date Last Updated: 15 Nov 2001
  • Severity Metric: 5.85
  • Document Revision: 10

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.