Excessive privileges - Temporary Files
Description
The application creates temporary withouth properly restricting their privileges or access modes, allowing an attacker to craft new attack vectors
Impact
- Get access to the created temporary files.
- Tamper data contained in the created temporary files.
Recommendation
Create the temporary files in a different directory than the default provided by the Operative system and ensure it has 0600 permission mask.
Threat
Authenticated attacker with local access to the server.
Expected Remediation Time
⌚ 60 minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the src.
Base
- Attack vector: L
- Attack complexity: H
- Privileges required: H
- User interaction: R
- Scope: U
- Confidentiality: L
- Integrity: L
- Availability: N
Temporal
- Exploit code madurity: P
- Remediation level: U
- Report confidence: C
Result
- Vector string: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N/E:P/RL:U/RC:C
- Score:
- Base: 2.9
- Temporal: 2.8
- Severity:
- Base: Low
- Temporal: Low
Score 4.0
Default score using CVSS 4.0 . It may change depending on the context of the src.
Base 4.0
- Attack vector: L
- Attack complexity: H
- Attack Requirements: N
- Privileges required: H
- User interaction: A
- Confidentiality (VC): L
- Integrity (VI): L
- Availability (VA): N
- Confidentiality (SC): N
- Integrity (SI): N
- Availability (SA): N
Threat 4.0
- Exploit madurity: P
Result 4.0
- Vector string: CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
- Score:
- CVSS-BT: 0.3
- Severity:
- CVSS-BT: Low
Details
This java method has the following signature:
public static File createTempFile(
// The prefix string defines the files name;
// must be at least three characters long
String prefix,
// The suffix string defines the file's extension;
// if null the suffix ".tmp" will be used
String suffix,
// The directory in which the file is to be created.
// For default temporary-file directory null is to passed.
File directory,
)
The first two arguments do not affect security of the created file.
In Linux, files and directories are different entities, they have their own permissions and are isolated from other files and directories.
Protections you apply to the directory
do not affect the files inside of it.
For example,
if I protect the directory
I can prevent an attacker
from executing the ls
command,
but nothing impedes the attacker
from executing cat directory/file
.
To prevent access to the file we must protect the file, not the directory.
Additionally, we make sure that permissions are set atomically. If we do not, the following situation can happen:
- At moment A
we
File.createTempFile()
a file. - At moment B we add secure permissions to the file.
After moment B the file is secured. However, between moment A and moment B the file has insecure permissions and an attacker had enough opportunity to get control over it.
Vulnerable implementation
The java.io.File.createTempFile
method
creates files with write permissions
in groups and other:
import java.io.File;
public class Test {
public static void main(String[] args){
try {
System.out.println(File.createTempFile("xxx", null));
}
catch (Exception e) {}
}
}
/*
* $ ls -al $(javac Test.java && java Test)
*
* -rw-r--r-- 1 fluid fluid 0 Aug 28 14:44 /tmp/xxx948760279845756007.tmp
*/
Secure implementation
- Use
java.nio.file.Files.createTempFile
. - Use the
attrs
argument (an optional list of file attributes to set atomically when creating the file).
Requirements
- 095.Define users with privileges
- 096.Set user's required privileges
- 186.Use the principle of least privilege
Fixes
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.