[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security vulnerability in automake

From: Lawrence Teo
Subject: Security vulnerability in automake
Date: Sat, 01 Jun 2002 18:28:52 -0400

I was learning Automake last night, and I think I found a security
vulnerability. I'm not sure if this is already known, but I couldn't
find it on Bugtraq. The security vulnerability is the insecure
creation of temporary files in the config.guess script which leads
to a race condition.

In the config.guess script, there's a line that says:


And further down...

echo "int dummy(){}" > $dummy.c ;

An attacker can create a number of symbolic links called
dummy-PID.c pointing to important files like /etc/passwd. PID in
this case would be the attacker's guesses on what the PID of the
config.guess script will run as. If root runs ./configure in a
source tree containing these malicious symlinks, and if the
configure script in turn runs config.guess, the /etc/passwd file
may potentially be overwritten with "int dummy(){}", resulting in
a denial of service attack.

Of course, we all know root shouldn't be running configure, but I
still feel that this is a potential vulnerability that needs to be

Apart from dummy-$$.c, the other temporary files that are created
are dummy-$$.s and dummy-$$.rel.

My recommendations are:

1. Check if the dummy file exists. If it does, append a number to
  it. If that still exists, keep changing that number until we
  come up with a filename that does not already exist (this is
  similar to mutt's temporary files /tmp/mutt-HOSTNAME-PID-SOMENUM);

2. Use a random hash value instead of the process ID ($$), which
  would be the preferred alternative. However, I don't know how
  feasible it is to do this in a simple, portable way that's
  consistent with Automake.

I've written a proof-of-concept exploit in C, which was pretty trivial
to write. If anyone's interested (and if it's appropriate), I'll post
the code here.

I've tested this on:

automake 1.4p4 on Debian GNU/Linux 3.0 (testing)
automake 1.5 on Slackware 8.0 current

Other automake versions may be vulnerable as well. The line also
appears in config.guess of automake 1.6.1, but I did not test it.

Lawrence Teo

Lawrence Teo
lcteo at uncc dot edu

Chat with friends online, try MSN Messenger:

reply via email to

[Prev in Thread] Current Thread [Next in Thread]