Paul Szabo
23/12/02, 17:09
INTRODUCTION
MATLAB is "The Language of Technical Computing"
http://www.mathworks.com/
PROBLEM
As installed on UNIX machines, matlab uses shell scripts to launch; these
scripts use files in /tmp in an unsafe way.
DETAILS
The matlab script uses /tmp/$$a and may clobber it, allowing an attacker
to "wipe out" any file belonging to the matlab user. Suppose the attacker
guesses what PID will be used next and creates a symlink with
ln -s ~victim/.profile /tmp/PIDa
then waits for the victim to run matlab: the victim's .profile gets
overwritten with garbage. (If root ever uses matlab then any file, e.g.
/etc/passwd, could similarly be trashed.)
It might be argued that it is hard to guess what PID will be used next.
It is easy enough to create a few thousand symlinks with likely PIDs; in
fact the attacker could create a symlink for every possible PID (as these
normally range from 0 to 32k or 64k).
The mex script may similarly clobber both /tmp/$$a and /tmp/$$b. Worse,
it sources (executes) any existing /tmp/$$a script, allowing an attacker
to execute any commands as the mex user. Proof-of-concept
(script-kiddie-safe) code:
echo 'echo You lose: rm -rf $HOME >> $HOME/.profile' > /tmp/evil
perl -e 'for (1..32000) { symlink "/tmp/$_a", "/tmp/evil" }'
then wait for any victim to use mex (if root ever uses mex then any
actions may be taken).
VENDOR COMMUNICATION
5 Dec 2002 MathWorks notified
10 Dec 2002 case ID is: 1034529
16 Dec 2002 engineers [will] try to validate
18 Dec 2002 working on a solution for the next release of MATLAB R14
18 Dec 2002 if you have a WORKING fix ... [recommend] comp.soft-sys.matlab
WORKAROUND/PATCH
I suggest you use something similar to the following patches. (Standard
textbook techniques: use a safe directory, and do not use files at all.)
*** matlab/6.5/bin/matlab.old Tue Sep 24 10:52:30 2002
--- matlab/6.5/bin/matlab Thu Dec 19 08:36:04 2002
***************
*** 137,145 ****
#
# Temporary file that hold MATLABPATH code from .matlab6rc.sh file.
#
! temp_file=/tmp/$$a
#
! trap "rm -f $temp_file; exit 1" 1 2 3 15
#
#========================= archlist.sh (start) ============================
#
--- 137,147 ----
#
# Temporary file that hold MATLABPATH code from .matlab6rc.sh file.
#
! temp_dir=/tmp/$$a
! temp_file=$temp_dir/a
! mkdir -m 700 $temp_dir || exit 1
#
! trap "rm -rf $temp_dir; exit 1" 1 2 3 15
#
#========================= archlist.sh (start) ============================
#
***************
*** 1790,1798 ****
echo '------------------------------------------------------------------------') >> $temp_file
#+++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++
more $temp_file
! rm -f $temp_file
exit 0
fi
#
# Export the variables
#
--- 1792,1801 ----
echo '------------------------------------------------------------------------') >> $temp_file
#+++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++
more $temp_file
! rm -rf $temp_dir
exit 0
fi
+ rm -rf $temp_dir
#
# Export the variables
#
*** matlab/6.5/bin/mex.old Tue Sep 24 10:52:30 2002
--- matlab/6.5/bin/mex Thu Dec 19 11:07:34 2002
***************
*** 1014,1021 ****
exit 1
fi
if [ "$verbose" = "1" ]; then
! temp_file=/tmp/$$b
! files_to_remove="$files_to_remove $temp_file"
. $MATLAB/bin/util/oscheck.sh
if [ "$oscheck_status" = "1" ]; then
cleanup
--- 1014,1023 ----
exit 1
fi
if [ "$verbose" = "1" ]; then
! temp_dir=/tmp/$$b
! temp_file=$temp_dir/b
! files_to_remove="$files_to_remove $temp_dir"
! mkdir -m 700 $temp_dir || exit 1
. $MATLAB/bin/util/oscheck.sh
if [ "$oscheck_status" = "1" ]; then
cleanup
***************
*** 1031,1038 ****
#
# Source the file of argument variables, name=[def]
#
! if [ -f /tmp/$$a ]; then
! . /tmp/$$a
fi
#
--- 1033,1043 ----
#
# Source the file of argument variables, name=[def]
#
! #if [ -f /tmp/$$a ]; then
! # . /tmp/$$a
! #fi
! if [ -n "$EVAL_ASSIGNS" ]; then
! eval "$EVAL_ASSIGNS"
fi
#
***************
*** 1505,1510 ****
--- 1510,1516 ----
ARCH=
Arch='Undetermined'
verbose=0
+ EVAL_ASSIGNS=
#
# Use a C entry point by default
#
***************
*** 1698,1705 ****
*[=\#]*)
lhs=`expr "$1" : '\([a-zA-Z0-9_]*\)[=\#].*'`
rhs=`expr "$1" : '[a-zA-Z0-9_]*[=\#]\(.*\)$'`
! echo $lhs='"'$rhs'"' >> /tmp/$$a
! files_to_remove="$files_to_remove /tmp/$$a"
;;
*.c) # c source file.
cfiles='1'
--- 1704,1712 ----
*[=\#]*)
lhs=`expr "$1" : '\([a-zA-Z0-9_]*\)[=\#].*'`
rhs=`expr "$1" : '[a-zA-Z0-9_]*[=\#]\(.*\)$'`
! #echo $lhs='"'$rhs'"' >> /tmp/$$a
! #files_to_remove="$files_to_remove /tmp/$$a"
! EVAL_ASSIGNS="$EVAL_ASSIGNS$lhs="'"'"$rhs"'";'
;;
*.c) # c source file.
cfiles='1'
SIGNATURE
Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
MATLAB is "The Language of Technical Computing"
http://www.mathworks.com/
PROBLEM
As installed on UNIX machines, matlab uses shell scripts to launch; these
scripts use files in /tmp in an unsafe way.
DETAILS
The matlab script uses /tmp/$$a and may clobber it, allowing an attacker
to "wipe out" any file belonging to the matlab user. Suppose the attacker
guesses what PID will be used next and creates a symlink with
ln -s ~victim/.profile /tmp/PIDa
then waits for the victim to run matlab: the victim's .profile gets
overwritten with garbage. (If root ever uses matlab then any file, e.g.
/etc/passwd, could similarly be trashed.)
It might be argued that it is hard to guess what PID will be used next.
It is easy enough to create a few thousand symlinks with likely PIDs; in
fact the attacker could create a symlink for every possible PID (as these
normally range from 0 to 32k or 64k).
The mex script may similarly clobber both /tmp/$$a and /tmp/$$b. Worse,
it sources (executes) any existing /tmp/$$a script, allowing an attacker
to execute any commands as the mex user. Proof-of-concept
(script-kiddie-safe) code:
echo 'echo You lose: rm -rf $HOME >> $HOME/.profile' > /tmp/evil
perl -e 'for (1..32000) { symlink "/tmp/$_a", "/tmp/evil" }'
then wait for any victim to use mex (if root ever uses mex then any
actions may be taken).
VENDOR COMMUNICATION
5 Dec 2002 MathWorks notified
10 Dec 2002 case ID is: 1034529
16 Dec 2002 engineers [will] try to validate
18 Dec 2002 working on a solution for the next release of MATLAB R14
18 Dec 2002 if you have a WORKING fix ... [recommend] comp.soft-sys.matlab
WORKAROUND/PATCH
I suggest you use something similar to the following patches. (Standard
textbook techniques: use a safe directory, and do not use files at all.)
*** matlab/6.5/bin/matlab.old Tue Sep 24 10:52:30 2002
--- matlab/6.5/bin/matlab Thu Dec 19 08:36:04 2002
***************
*** 137,145 ****
#
# Temporary file that hold MATLABPATH code from .matlab6rc.sh file.
#
! temp_file=/tmp/$$a
#
! trap "rm -f $temp_file; exit 1" 1 2 3 15
#
#========================= archlist.sh (start) ============================
#
--- 137,147 ----
#
# Temporary file that hold MATLABPATH code from .matlab6rc.sh file.
#
! temp_dir=/tmp/$$a
! temp_file=$temp_dir/a
! mkdir -m 700 $temp_dir || exit 1
#
! trap "rm -rf $temp_dir; exit 1" 1 2 3 15
#
#========================= archlist.sh (start) ============================
#
***************
*** 1790,1798 ****
echo '------------------------------------------------------------------------') >> $temp_file
#+++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++
more $temp_file
! rm -f $temp_file
exit 0
fi
#
# Export the variables
#
--- 1792,1801 ----
echo '------------------------------------------------------------------------') >> $temp_file
#+++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++
more $temp_file
! rm -rf $temp_dir
exit 0
fi
+ rm -rf $temp_dir
#
# Export the variables
#
*** matlab/6.5/bin/mex.old Tue Sep 24 10:52:30 2002
--- matlab/6.5/bin/mex Thu Dec 19 11:07:34 2002
***************
*** 1014,1021 ****
exit 1
fi
if [ "$verbose" = "1" ]; then
! temp_file=/tmp/$$b
! files_to_remove="$files_to_remove $temp_file"
. $MATLAB/bin/util/oscheck.sh
if [ "$oscheck_status" = "1" ]; then
cleanup
--- 1014,1023 ----
exit 1
fi
if [ "$verbose" = "1" ]; then
! temp_dir=/tmp/$$b
! temp_file=$temp_dir/b
! files_to_remove="$files_to_remove $temp_dir"
! mkdir -m 700 $temp_dir || exit 1
. $MATLAB/bin/util/oscheck.sh
if [ "$oscheck_status" = "1" ]; then
cleanup
***************
*** 1031,1038 ****
#
# Source the file of argument variables, name=[def]
#
! if [ -f /tmp/$$a ]; then
! . /tmp/$$a
fi
#
--- 1033,1043 ----
#
# Source the file of argument variables, name=[def]
#
! #if [ -f /tmp/$$a ]; then
! # . /tmp/$$a
! #fi
! if [ -n "$EVAL_ASSIGNS" ]; then
! eval "$EVAL_ASSIGNS"
fi
#
***************
*** 1505,1510 ****
--- 1510,1516 ----
ARCH=
Arch='Undetermined'
verbose=0
+ EVAL_ASSIGNS=
#
# Use a C entry point by default
#
***************
*** 1698,1705 ****
*[=\#]*)
lhs=`expr "$1" : '\([a-zA-Z0-9_]*\)[=\#].*'`
rhs=`expr "$1" : '[a-zA-Z0-9_]*[=\#]\(.*\)$'`
! echo $lhs='"'$rhs'"' >> /tmp/$$a
! files_to_remove="$files_to_remove /tmp/$$a"
;;
*.c) # c source file.
cfiles='1'
--- 1704,1712 ----
*[=\#]*)
lhs=`expr "$1" : '\([a-zA-Z0-9_]*\)[=\#].*'`
rhs=`expr "$1" : '[a-zA-Z0-9_]*[=\#]\(.*\)$'`
! #echo $lhs='"'$rhs'"' >> /tmp/$$a
! #files_to_remove="$files_to_remove /tmp/$$a"
! EVAL_ASSIGNS="$EVAL_ASSIGNS$lhs="'"'"$rhs"'";'
;;
*.c) # c source file.
cfiles='1'
SIGNATURE
Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia