CODEWITHSUNDEEP
linuxsecuritysh
Alan W
Alan W

Reputation: 301

sh script vulnerability in Linux

I was given an assignment for my Computer Security class. We we were given a piece of code to analyze and determine the vulnerabilities that it might have. 

#!/bin/sh
# shell script to create a copy of the shadow file to the /tmp directory

echo > /tmp/shadowcopy

# allow only root access
chmod 600 /tmp/shadowcopy

# append the original file to the copy
cat /etc/shadow >> /tmp/shadowcopy

# Hint: the access permissions of a file in linux are verified when the
# file is opened. the process will keep the original permissions as long
# as it keeps the file open, even if permissions change.

Some classmates and I determined that this script might suffer from race condition vulnerability if two separate process try to open the /tmp/shadowcopy.

We also think that command injection vulnerability could be possible if the /tmp/shadowcopy is changed before the append begins.

Are our assumptions wrong, or does this code suffer from other vulnerabilities we might have not considered?

Upvotes: 0

Views: 737

Answers (1)

John Bollinger
John Bollinger

Reputation: 180331

There is indeed a race condition, in that an adversary could potentially access /tmp/shadowcopy between the script creating it and the script setting its permissions. However, if indeed the script creates the file, then its initial permissions will be governed by the effective umask. If that allows files to be created that are writable other than by the user then that's bad, but I don't account it a vulnerability in the script itself. The script nevertheless could address that.

If it were the case that the effective umask caused /tmp/shadowcopy to initially be writeable by others, however, then an adversary could potentially inject fake credentials into it before the permissions were changed.

There is also a race condition in that if the script were run at the same time in two separate processes, then /tmp/shadowcopy could end up containing an arbitrary admixture of two copies of /etc/shadow. That in itself is not a security vulnerability, but it could combine with other behavior of a larger script to create one.

I think you've missed by far the biggest risk in the above code, though. Consider that because it reads /etc/shadow, the script must be executed with root privilege in order to perform its intended work. Now, consider who can usually write in /tmp. Now, think about what any of those people might be able to accomplish by creating /tmp/shadowcopy before the script runs.

Upvotes: 2

Related Questions