MYPROXY-2008-0004

Summary:

 

In a poorly administered machine, an attacker with local access to the myproxy-server host, could manipulate the stored credentials.


Component Vulnerable Versions Platform Availability Fix Available
myproxy-server 1.0 - 4.4 all not known to be publicly available 4.5 -
Status Access Required Host Type Required Effort Required Impact/Consequences
Verified local ordinary user MyProxy server host high medium
Fixed Date Credit
2009-Feb-12 Jim Kupsch

Access Required:

local ordinary user

This vulnerability requires a user to have access to a local account on the host running the myproxy-server.

Effort Required:

high

Some of the configuration options of the MyProxy server would have to be poorly chosen and the attacker would have to be able to win some race conditions on the local host to exploit this vulnerability.

Impact/Consequences:

medium

An attacker would not be able to access the contents of a credential, but they could delete credentials, add new credentials and see the names of credentials.

Full Details:

 

The function check_storage_directory only checks the ownership and permissions of the certificate storage directory. It does not check the trust of all the ancestors of this directory. This allows an attacker that has permissions to write to one of the ancestor directories the ability to replace the certificate storage directory with one that has weak permissions.

The attacker would wait the ownership and permissions check to occur and then manipulate the ancestor directory so the path to the storage directory refers to a directory under their control. When myproxy-server forms the path for the credential by concatenating the directory name and file name it will then place or access the file in the attacker's directory.

The permissions of the written credential are such that the attacker can not read their contents, but they can see the file name chosen, delete the credential, and create credentials with arbitrary contents and names.

Cause:

race condition
denial of service
information leak

The cause of this vulnerability is the result of a Time of Check, Time of Use (TOCTOU) vulnerability. This occurs because the trust of credential storage directory is performed first and when it is used it could be a different directory. This could then result in a denial of service if the attacker removes certificates. It also leaks the names of the files created in the certificate storage directory, which contain some information.

Proposed Fix:

 

Check the trust of all the credential storage directory and all of its ancestors. More information on how to do this properly and a library can be found at http://www.cs.wisc.edu/~kupsch/safefile.

Actual Fix:

 

The proposed fix has been implemented for MyProxy v4.5, released February 2009. The myproxy-server calls safe_is_path_trusted_r from the Safefile library and generates warning messages if SAFE_PATH_TRUSTED_CONFIDENTIAL is not returned for the credential storage directory.

Acknowledgment:

 

This research funded in part by NATO grant CLG 983049, the National Science Foundation under contract with San Diego Supercomputing Center, and National Science Foundation grants CNS-0627501 and CNS-0716460.