Spotting /tmp related vulnerabilities with TmpWatcher

Spotting /tmp related vulnerabilities with TmpWatcher

 

Did you know that misuse of the /tmp directory is one of the most common security flaws? If you search mitre for the keyword “tmp”, you’ll find a plethora of vulnerabilities (529 at the time of this writing). Because /tmp is a world-writable directory, applications need to be very careful about how they create and use files in /tmp. Unfortunately, many developers are unaware that improper use of /tmp can lead to symlink race, TOCTOU, information disclosure, privilege escalation, and denial-of-service vulnerabilities.

Simple solution to a complex problem

There are many open source projects that continue to use /tmp in an unsafe way. As members of the open source community, we have the opportunity to find and report these types of vulnerabilities. In order to discover more vulnerabilities in less time, TmpWatcher was created. TmpWatcher watches for misuse of the `/tmp` directory, which can lead to many different kinds of security vulnerabilities.

There are two ways to find vulnerabilities caused by the misuse of /tmp. The first is to read source code and search for code that creates files in /tmp. By evaluating this code, you can determine whether or not temporary files are created safely. This approach has the drawback of being somewhat time-consuming. The second way to find these vulnerabilities is to develop a heuristic that will identify unsafe usage of /tmp at runtime. TmpWatcher takes the latter approach.

An efficient way to spot vulnerabilities

One of the most exciting things about open source software is that it gives everyone the opportunity to contribute. A great way to contribute to open source projects is by discovering and reporting security vulnerabilities. TmpWatcher monitors /tmp in real time and watches for files or directories with world-writable permissions (o+w). When files with insecure permissions in /tmp are detected, an alert is logged. As you go about your daily activities, you’ll be notified if an application you’re using makes unsafe use of /tmp. You can take note of what application you were using at the time of the alert and, at your leisure, investigate the alert and report it to the application’s developers.

Get it working

Using TmpWatcher is as easy as installing the tmpwatcher snap and running it:


sudo snap install tmpwatcher
tmpwatcher

You can test that tmpwatcher is working properly by creating a directory with world-writable permissions in /tmp:

mkdir --mode=0777 /tmp/test_dir

In some cases, a user’s umask will help to mitigate potential vulnerabilities caused by unsafe usage of /tmp. On Ubuntu, for example, the default umask is 002, which will cause o+w bit to be unset. As a result, potential vulnerabilities may fly under TmpWatcher’s radar. To combat this, you can cast a wider net if you invoke TmpWatcher with the --perms-mask argument.

tmpwatcher --perms-mask 077

TmpWatcher provides a number of options which allow you to watch directories other than /tmp, watch directories recursively, specify a config file, and run as a daemon. In addition, TmpWatcher can be configured to send alerts to a syslog server so that alerts from multiple systems can all be viewed in one place.

Are you interested in vulnerability research? Are you a software developer who wants to check their software for misuse of the /tmp directory? Give TmpWatcher a try!

For more information about TmpWatcher, see TmpWatcher’s home page on github or check it out in the snap store.

 

 

Previous [xubuntu] Can't open ZOOM client
Next Cannot open system settings or change workspaces
 

About author

Sibananda Sahu
Sibananda Sahu 211 posts

A Linux Kernel Developer and a Firmware Developer by profession. Have worked with few big companies: BROADCOM Corporation, Cypress Semiconductor, LSI Corporation, TOSHIBA Corporation, Western Digital; on various cutting edge technologies and product lines, such as: RAID storage Driver, SSD Firmware, WLAN Firmware etc. Having more than 9 years of experience in Software Engineering domain. Now, took a pledge to educate all aspirant students to teach about Linux Kernel Development.

View all posts by this author →

You might also like

Ubuntu Dsicussions 0 Comments

USB DAC disconnecting while switching applications

I’m not sure if this is the right forum to post this, but here goes. I bought a FiiO BTR5 DAC/Amp and I’ve been getting this terrible disconnect loops every

Ubuntu Dsicussions 0 Comments

18.04 how to preseed partman-crypto/passphrase values

I’m trying to make an unattended install image. The passphrase for disk encryption needs to be set to a value obtained by the CLI. eg Code: PASS=”$(get-password)” (get-password gets the

Ubuntu Dsicussions 0 Comments

locate command in 20.04, and understanding default commands

Good day all, I am running my first instance of 20.04 and really enjoy it so far. However, I popped open a terminal window and went to use the locate

0 Comments

No Comments Yet!

You can be first to comment this post!

Leave a Reply