[Full-Disclosure] Matlab /tmp usage

From: Paul Szabo (psz@maths.usyd.edu.au)
Date: 12/22/02


From: psz@maths.usyd.edu.au (Paul Szabo)
Date: Mon, 23 Dec 2002 06:08:48 +1100

INTRODUCTION

MATLAB is "The Language of Technical Computing"
http://www.mathworks.com/

PROBLEM

As installed on UNIX machines, matlab uses shell scripts to launch; these
scripts use files in /tmp in an unsafe way.

DETAILS

The matlab script uses /tmp/$$a and may clobber it, allowing an attacker
to "wipe out" any file belonging to the matlab user. Suppose the attacker
guesses what PID will be used next and creates a symlink with

  ln -s ~victim/.profile /tmp/PIDa

then waits for the victim to run matlab: the victim's .profile gets
overwritten with garbage. (If root ever uses matlab then any file, e.g.
/etc/passwd, could similarly be trashed.)

It might be argued that it is hard to guess what PID will be used next.
It is easy enough to create a few thousand symlinks with likely PIDs; in
fact the attacker could create a symlink for every possible PID (as these
normally range from 0 to 32k or 64k).

The mex script may similarly clobber both /tmp/$$a and /tmp/$$b. Worse,
it sources (executes) any existing /tmp/$$a script, allowing an attacker
to execute any commands as the mex user. Proof-of-concept
(script-kiddie-safe) code:

  echo 'echo You lose: rm -rf $HOME >> $HOME/.profile' > /tmp/evil
  perl -e 'for (1..32000) { symlink "/tmp/$_a", "/tmp/evil" }'

then wait for any victim to use mex (if root ever uses mex then any
actions may be taken).

VENDOR COMMUNICATION

 5 Dec 2002 MathWorks notified
10 Dec 2002 case ID is: 1034529
16 Dec 2002 engineers [will] try to validate
18 Dec 2002 working on a solution for the next release of MATLAB R14
18 Dec 2002 if you have a WORKING fix ... [recommend] comp.soft-sys.matlab

WORKAROUND/PATCH

I suggest you use something similar to the following patches. (Standard
textbook techniques: use a safe directory, and do not use files at all.)

*** matlab/6.5/bin/matlab.old Tue Sep 24 10:52:30 2002
--- matlab/6.5/bin/matlab Thu Dec 19 08:36:04 2002
***************
*** 137,145 ****
  #
  # Temporary file that hold MATLABPATH code from .matlab6rc.sh file.
  #
! temp_file=/tmp/$$a
  #
! trap "rm -f $temp_file; exit 1" 1 2 3 15
  #
  #========================= archlist.sh (start) ============================
  #
--- 137,147 ----
  #
  # Temporary file that hold MATLABPATH code from .matlab6rc.sh file.
  #
! temp_dir=/tmp/$$a
! temp_file=$temp_dir/a
! mkdir -m 700 $temp_dir || exit 1
  #
! trap "rm -rf $temp_dir; exit 1" 1 2 3 15
  #
  #========================= archlist.sh (start) ============================
  #
***************
*** 1790,1798 ****
      echo '------------------------------------------------------------------------') >> $temp_file
  #++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
          more $temp_file
! rm -f $temp_file
          exit 0
      fi
  #
  # Export the variables
  #
--- 1792,1801 ----
      echo '------------------------------------------------------------------------') >> $temp_file
  #++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
          more $temp_file
! rm -rf $temp_dir
          exit 0
      fi
+ rm -rf $temp_dir
  #
  # Export the variables
  #

*** matlab/6.5/bin/mex.old Tue Sep 24 10:52:30 2002
--- matlab/6.5/bin/mex Thu Dec 19 11:07:34 2002
***************
*** 1014,1021 ****
          exit 1
      fi
      if [ "$verbose" = "1" ]; then
! temp_file=/tmp/$$b
! files_to_remove="$files_to_remove $temp_file"
          . $MATLAB/bin/util/oscheck.sh
          if [ "$oscheck_status" = "1" ]; then
              cleanup
--- 1014,1023 ----
          exit 1
      fi
      if [ "$verbose" = "1" ]; then
! temp_dir=/tmp/$$b
! temp_file=$temp_dir/b
! files_to_remove="$files_to_remove $temp_dir"
! mkdir -m 700 $temp_dir || exit 1
          . $MATLAB/bin/util/oscheck.sh
          if [ "$oscheck_status" = "1" ]; then
              cleanup
***************
*** 1031,1038 ****
  #
  # Source the file of argument variables, name=[def]
  #
! if [ -f /tmp/$$a ]; then
! . /tmp/$$a
      fi
  
  #
--- 1033,1043 ----
  #
  # Source the file of argument variables, name=[def]
  #
! #if [ -f /tmp/$$a ]; then
! # . /tmp/$$a
! #fi
! if [ -n "$EVAL_ASSIGNS" ]; then
! eval "$EVAL_ASSIGNS"
      fi
  
  #
***************
*** 1505,1510 ****
--- 1510,1516 ----
     ARCH=
      Arch='Undetermined'
      verbose=0
+ EVAL_ASSIGNS=
  #
  # Use a C entry point by default
  #
***************
*** 1698,1705 ****
              *[=\#]*)
                  lhs=`expr "$1" : '\([a-zA-Z0-9_]*\)[=\#].*'`
                  rhs=`expr "$1" : '[a-zA-Z0-9_]*[=\#]\(.*\)$'`
! echo $lhs='"'$rhs'"' >> /tmp/$$a
! files_to_remove="$files_to_remove /tmp/$$a"
                  ;;
              *.c) # c source file.
                  cfiles='1'
--- 1704,1712 ----
              *[=\#]*)
                  lhs=`expr "$1" : '\([a-zA-Z0-9_]*\)[=\#].*'`
                  rhs=`expr "$1" : '[a-zA-Z0-9_]*[=\#]\(.*\)$'`
! #echo $lhs='"'$rhs'"' >> /tmp/$$a
! #files_to_remove="$files_to_remove /tmp/$$a"
! EVAL_ASSIGNS="$EVAL_ASSIGNS$lhs="'"'"$rhs"'";'
                  ;;
              *.c) # c source file.
                  cfiles='1'

SIGNATURE

Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia



Relevant Pages

  • [UNIX] Matlab Uses the /tmp Directory Insecurely
    ... Matlab uses shell scripts to launch; ... Matlab's scripts use /tmp/$$a and may clobber it, allowing an attacker to ... It might be argued that it is hard to guess what PID will be used next. ...
    (Securiteam)
  • Re: Start a bash script from MATLAB and execute in its own shell
    ... I've fine problem for Linux and MATLAB fans. ... scripts in my algorithm which is coded in MATLAB installed in UBUNTU 10.04. ... The trick is that the bash scripts run many hours and my goal is to ...
    (comp.soft-sys.matlab)
  • Matlab /tmp usage
    ... MATLAB is "The Language of Technical Computing" ... matlab uses shell scripts to launch; ... The matlab script uses /tmp/$$a and may clobber it, allowing an attacker ... It might be argued that it is hard to guess what PID will be used next. ...
    (Bugtraq)
  • Re: scritpts vs functions
    ... It seems that Matlab passes variables by reference, ... As far as exexcution speed for functions versus scripts, ... You can use tic and toc to determine the ...
    (comp.soft-sys.matlab)
  • Re: program for pid algorithm
    ... > controller.i want to write a program in matlab for pid algorithm. ... PID controller transfer function is ... We had a text book which has Matlab code that shows how to do this, ...
    (comp.soft-sys.matlab)