| Subject: | Insecure /tmp file handling |
Parallel::ForkManager's handling of temporary files is very insecure.
1) Temporary file names are predictable. There is nothing random about
the temporary file names in Parallel::ForkManager. Using a predictable
filename in a directory writable by other turns theoretical exploits (if
I guess the filename and do X, Y, Z) into actual exploits (if I do X Y Z.)
2) Parallel::ForkManager allows overwriting arbitrary files. Ex:
Root is running code under Parallel::Forkmanager that uses the temporary
file logic. Attacker sees the code running in ps output and symlinks
/tmp/Parallel-ForkManager-$parent_pid-$child_pid.txt to /etc/shadow.
Storable will overwrite the shadow file and make logins impossible on
the system.
3) Parallel::ForkManager allows an attacker to feed arbitrary data to
the return mechanism. Ex:
Root is running code under Parallel::ForkManager that uses the temporary
file logic. Attacker creates a dangling symlink from
/tmp/Parallel-ForkManager-$parent_pid-$child_pid.txt to
/home/attacker/attack.txt. Now the attacker goes into a loop waiting
for attack.txt to appear and as soon as it does the attacker unlinks it
and replaces it with a file containing whatever arbitrary data the
attacker wants to feed into the parent.
4) Parallel::ForkManager uses insecure permissions on its temporary
files. Sotrable is just going to use the umask when creating the
temporary files. The default on umask on most systems is 0022 meaning
that any account on the system can inspect the contents of the /tmp files.