New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
temp-file creation vulnerability in rdbSave function #1560
Comments
@megahall does this issue have CVE identifier? Please do request one publicly from oss-security. Documentation: http://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html |
Requested one. I'll post it when I get it. |
CC |
Hello, the reason I did not replied is because this security bug report is absurd. Security must be evaluated in the context of a given software. With Redis CONFIG SET you can make the server chdir to whatever directory you want, fill the DB with a given set of keys that will result in a specific RDB file, change the name of the target file, and use SAVE in order to write random files with mostly attacker-chosen content around the filesystem. In the light of the above, do you think that the symlink vulnerability in Redis is significant? |
Matthew.Sent from my mobile device. On April 23, 2014 7:02:32 AM PDT, Salvatore Sanfilippo notifications@github.com wrote:
|
While this issue involves temporary file creation, it does not involve typical security issues with temporary files. We assume Because of that, the usual issues around choosing a non-existing random temp file name, handling the inherent race condition, opening exclusively etc. don't apply. Closing this issue now, and I will verify the documentation does indeed mention the need for a secure |
I have been trying to reach the Redis maintainers since 2013-09-13
regarding this report, but I could not find a good security contact for
Redis, and the lead maintainer,
Salvatore Sanfilippo <antirez@gmail.com>
is not replying to my private report to him about the issue and his
opinion of it. I also contacted US-CERT for help and they could not
reach anyone by 2014-01-24.
Therefore I would like to encourage the Redis team to be more
security-friendly and establish some contact procedures on their
website. Given how many places this software is now being used these
days, I think it is very critical to make these changes before someone
finds something more serious than the one I could spot.
I think I might have discovered a security vulnerability in Redis
2.6.16. This code is from the function int
rdbSave(char *filename) in rdb.c:
In line 641, the function does not use a security temporary file creation
routine such as
mkstemp
. This is vulnerable to a wide range of attacks whichcould result in overwriting (in line 693-695) and unlinking (in line 701) any
file / hard link / symlink placed in
temp-PID.rdb
by an attacker.https://www.owasp.org/index.php/Improper_temp_file_opening
https://www.owasp.org/index.php/Insecure_Temporary_File
The code should be creating the temporary file using some kind of safe
function like
mkstemp
,O_EXCL open
, etc. instead of just using aPID
valuewhich does not have enough entropy and protection from race conditions. It
should also be sure it has set the
CWD
of itself to a known-safe location thatshould have permissions which are only open to the
redis
daemon /redis
userand not to other users or processes.
The advisory is posted here:
https://www.mhcomputing.net/redis-advisory-2013.txt
Thanks,
Matthew Hall
The text was updated successfully, but these errors were encountered: