[php-maint] Bug#766147: php5-common: session cleanup can be misused to change modification time of arbitrary files to "now" when symlink protection not enabled
Fiedler Roman
Roman.Fiedler at ait.ac.at
Tue Oct 21 07:52:46 UTC 2014
Package: php5-common
Version: 5.4.4-14+deb7u14
Tags: security
/usr/lib/php5/sessionclean from [1] enables any process allowed to create
entries in /var/lib/php5 to adjust the modification time of any file by
waiting for the /etc/cron.d/php5 session cleanup job to run. This requires
/proc/sys/fs/protected_symlinks to be set to 0 (off), which is not the
default in Debian 7 Wheezy and up according to information from Debian
security team.
Even for affected systems, the impact might be small, just annoying:
* backup/IDS might be unhappy when file modification time is changed every
30min
* some spoolers might work differently since stale file could be prevented
from reaching required age for next action
* some privileged /proc or /sys entries might not handle modification time
update correctly or react in a strange way
* Sudo credentials cache might be affected (not checked)
To my judgement, the session cleanup code does _NOT_ allow to create
arbitrary files ("touch -c" is used), hence it would not be possible to use
this to create e.g. /etc/suid-debug
POC:
su -s /bin/bash nobody
cd /var/lib/php5
ln -s /etc/passwd xxx
cat > "xxx yyy"
# wait
[1]
http://http.us.debian.org/debian/pool/main/p/php5/php5-common_5.4.4-14+deb7u
14_i386.deb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6344 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20141021/34b7dd49/attachment.bin>
More information about the pkg-php-maint
mailing list