|Subject:||Insecure /tmp file handling|
Parallel::ForkManager's handling of temporary files is very insecure. 1) Temporary file names are predictable. There is nothing random about the temporary file names in Parallel::ForkManager. Using a predictable filename in a directory writable by other turns theoretical exploits (if I guess the filename and do X, Y, Z) into actual exploits (if I do X Y Z.) 2) Parallel::ForkManager allows overwriting arbitrary files. Ex: Root is running code under Parallel::Forkmanager that uses the temporary file logic. Attacker sees the code running in ps output and symlinks /tmp/Parallel-ForkManager-$parent_pid-$child_pid.txt to /etc/shadow. Storable will overwrite the shadow file and make logins impossible on the system. 3) Parallel::ForkManager allows an attacker to feed arbitrary data to the return mechanism. Ex: Root is running code under Parallel::ForkManager that uses the temporary file logic. Attacker creates a dangling symlink from /tmp/Parallel-ForkManager-$parent_pid-$child_pid.txt to /home/attacker/attack.txt. Now the attacker goes into a loop waiting for attack.txt to appear and as soon as it does the attacker unlinks it and replaces it with a file containing whatever arbitrary data the attacker wants to feed into the parent. 4) Parallel::ForkManager uses insecure permissions on its temporary files. Sotrable is just going to use the umask when creating the temporary files. The default on umask on most systems is 0022 meaning that any account on the system can inspect the contents of the /tmp files.