KTemporaryFile::createLocalFile()
David Faure
faure at kde.org
Thu Jul 5 11:35:23 BST 2007
On Thursday 05 July 2007, Oswald Buddenhagen wrote:
> On Thu, Jul 05, 2007 at 10:49:06AM +0200, David Faure wrote:
> > But you're right, command-line tools only do as much as they can, this
> > doesn't mean we should make the same mistakes in C++ code.
> >
> it is beyond me, how this can be a mistake. can you come up with an
> *actual* exploitable scenario?
It is beyond me why I should explain to you something that I only know from previous
discussions on this list, but let's try :-)
1) App calls KTemporaryFile::createLocalFile(), which creates a file, opens it, closes it, returns its name
2) Another user was running a malicious script that watches /tmp (e.g. using inotify), it gets notified
about the new file.
3) Said script replaces the new temp file with a symlink to your ~/.ssh/id_dsa (or any other file that has value to you)
4) App now reopens the file using the path it got from step 1, and this erases your ssh private key. Damn!
This is the reason why [QK]TemporaryFile returns an open file: while the file is open, an attacker can't replace it with a symlink.
--
David Faure, faure at kde.org, sponsored by Trolltech to work on KDE,
Konqueror (http://www.konqueror.org), and KOffice (http://www.koffice.org).
More information about the kde-core-devel
mailing list