Skip to content

TOR-012 pen-torproject#13: exitmap - Limited File write due to insecure permissions via symlinks

Testing confirmed that low-privileged users in the same group as the user running exitmap with a custom tor directory could change the destination of the subsequent execution due to insecure default permissions.

added ~7001 label

changed title from exitmap - Symlink attack to exitmap - Symlink attack due to insecure permissions

changed title from exitmap - Symlink attack due to insecure permissions to exitmap - Limited File write due to insecure permissions via symlinks

changed the description

added ~4423 label

Author Maintainer

Technical Description

When exitmap runs with a custom tor directory -t, the os.makedirs function creates all required folders for that path. For example, if the path a/b/c is chosen, the folders a and b are created with permissions 770, and only the last folder c gets 700. Consequently, users in the same group as the exitmap user are also granted all permissions for the folders a and b. In other words, attackers could redirect a symlink in the b folder to another folder, creating files with the permissions of the exitmap user when the script runs again.

tpo/network-health/exitmap/src/exitmap.py

def main():
    # Create and set the given directories.
    if args.tor_dir and not os.path.exists(args.tor_dir):
        os.makedirs(args.tor_dir)

Proof of Concept

  1. Run python3 exitmap -t a/b/c checktest and stop the execution.
  2. Create the target directory with mkdir target
  3. Remove the directory b and symlink to the target directory: rm -rf a/b && ln -sf ../target a/b
  4. Run the script again, python3 exitmap -t a/b/c checktest and observe that the directory c is created inside the directory target.

changed the description

Author Maintainer

Impact

For low-privileged attackers in the same group as the user running exitmap, it is possible to perform a symlink attack, resulting in a limited file with the privileges of the victim user.

Author Maintainer

Recommendation

Replace os.makedirs(args.tor_dir) with os.makedirs(args.tor_dir, mode=0o700) to ensure only the user running exitmap has access to the directory and don't follow symlinks.

Author Maintainer

Type

CWE-276: Incorrect Default Permissions

changed the description

added ~8256 label

removed ~4423 label

added ~4424 label

mentioned in issue #29 (closed)