TOR-012 pen-torproject#13: exitmap - Limited File write due to insecure permissions via symlinks
Testing confirmed that low-privileged users in the same group as the user running exitmap with a custom tor directory could change the destination of the subsequent execution due to insecure default permissions.
added ~7001 label
changed title from exitmap - Symlink attack to exitmap - Symlink attack due to insecure permissions
changed title from exitmap - Symlink attack due to insecure permissions to exitmap - Limited File write due to insecure permissions via symlinks
changed the description
added ~4423 label
Author Maintainer
Technical Description
When exitmap runs with a custom tor directory -t
, the os.makedirs
function creates all required folders for that path. For example, if the path a/b/c
is chosen, the folders a
and b
are created with permissions 770, and only the last folder c
gets 700. Consequently, users in the same group as the exitmap user are also granted all permissions for the folders a
and b
. In other words, attackers could redirect a symlink in the b
folder to another folder, creating files with the permissions of the exitmap user when the script runs again.
tpo/network-health/exitmap/src/exitmap.py
def main():
# Create and set the given directories.
if args.tor_dir and not os.path.exists(args.tor_dir):
os.makedirs(args.tor_dir)
Proof of Concept
- Run
python3 exitmap -t a/b/c checktest
and stop the execution. - Create the target directory with
mkdir target
- Remove the directory
b
and symlink to the target directory:rm -rf a/b && ln -sf ../target a/b
- Run the script again,
python3 exitmap -t a/b/c checktest
and observe that the directoryc
is created inside the directorytarget
.
changed the description
Author Maintainer
Impact
For low-privileged attackers in the same group as the user running exitmap, it is possible to perform a symlink attack, resulting in a limited file with the privileges of the victim user.
Author Maintainer
Recommendation
Replace os.makedirs(args.tor_dir)
with os.makedirs(args.tor_dir, mode=0o700)
to ensure only the user running exitmap has access to the directory and don't follow symlinks.
Author Maintainer
Type
CWE-276: Incorrect Default Permissions
changed the description
added ~8256 label
removed ~4423 label
added ~4424 label
mentioned in issue #29 (closed)