[UNIX] Matlab Uses the /tmp Directory Insecurely

From: support@securiteam.com
Date: 12/25/02

Next message: support@securiteam.com: "[EXPL] zkfingerd Remote Exploit"

Previous message: support@securiteam.com: "[NT] Polycom Video Conference System Management Server Authentication Bypass Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 25 Dec 2002 11:15:23 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

Matlab Uses the /tmp Directory Insecurely
------------------------------------------------------------------------

SUMMARY

As installed on UNIX machines, Matlab uses shell scripts to launch; these
scripts use files in /tmp in an unsafe way.

DETAILS

Matlab's scripts use /tmp/$$a and may clobber it, allowing an attacker to
"wipe out" any file belonging to the Matlab user. Suppose the attacker
guesses what PID will be used next and creates a symlink with

ln -s ~victim/.profile /tmp/PIDa

And then waits for the victim to run matlab: the victim's .profile gets
overwritten with garbage. (If root ever uses Matlab then any file, e.g.
/etc/passwd, could similarly be trashed.)

It might be argued that it is hard to guess what PID will be used next. It
is easy enough to create a few thousand symlinks with likely PIDs; in fact
the attacker could create a symlink for every possible PID (as these
normally range from 0 to 32k or 64k).

The mex script may similarly clobber both /tmp/$$a and /tmp/$$b. Worse, it
sources (executes) any existing /tmp/$$a script, allowing an attacker to
execute any commands as the mex user.
Proof-of-concept:
echo 'echo You lose: rm -rf $HOME >> $HOME/.profile' > /tmp/evil
perl -e 'for (1..32000) { symlink "/tmp/$_a", "/tmp/evil" }'

Then wait for any victim to use mex (if root ever uses mex then any
actions may be taken).

Vendor response:
5 Dec 2002 MathWorks notified
10 Dec 2002 case ID is: 1034529
16 Dec 2002 engineers [will] try to validate
18 Dec 2002 working on a solution for the next release of MATLAB R14
18 Dec 2002 if you have a WORKING fix ... [recommend] comp.soft-sys.matlab

Workaround:
Paul suggests you use something similar to the following patches.
(Standard textbook techniques: use a safe directory, and do not use files
at all.)

*** matlab/6.5/bin/matlab.old Tue Sep 24 10:52:30 2002
--- matlab/6.5/bin/matlab Thu Dec 19 08:36:04 2002
***************
*** 137,145 ****
  #
  # Temporary file that hold MATLABPATH code from .matlab6rc.sh file.
  #
! temp_file=/tmp/$$a
  #
! trap "rm -f $temp_file; exit 1" 1 2 3 15
  #
  #========================= archlist.sh (start)
============================
  #
--- 137,147 ----
  #
  # Temporary file that hold MATLABPATH code from .matlab6rc.sh file.
  #
! temp_dir=/tmp/$$a
! temp_file=$temp_dir/a
! mkdir -m 700 $temp_dir || exit 1
  #
! trap "rm -rf $temp_dir; exit 1" 1 2 3 15
  #
  #========================= archlist.sh (start)
============================
  #
***************
*** 1790,1798 ****
      echo
'------------------------------------------------------------------------') >> $temp_file

#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  more $temp_file
! rm -f $temp_file
  exit 0
      fi
  #
  # Export the variables
  #
--- 1792,1801 ----
      echo
'------------------------------------------------------------------------') >> $temp_file

#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  more $temp_file
! rm -rf $temp_dir
  exit 0
      fi
+ rm -rf $temp_dir
  #
  # Export the variables
  #

*** matlab/6.5/bin/mex.old Tue Sep 24 10:52:30 2002
--- matlab/6.5/bin/mex Thu Dec 19 11:07:34 2002
***************
*** 1014,1021 ****
          exit 1
      fi
      if [ "$verbose" = "1" ]; then
! temp_file=/tmp/$$b
! files_to_remove="$files_to_remove $temp_file"
          . $MATLAB/bin/util/oscheck.sh
          if [ "$oscheck_status" = "1" ]; then
              cleanup
--- 1014,1023 ----
          exit 1
      fi
      if [ "$verbose" = "1" ]; then
! temp_dir=/tmp/$$b
! temp_file=$temp_dir/b
! files_to_remove="$files_to_remove $temp_dir"
! mkdir -m 700 $temp_dir || exit 1
          . $MATLAB/bin/util/oscheck.sh
          if [ "$oscheck_status" = "1" ]; then
              cleanup
***************
*** 1031,1038 ****
  #
  # Source the file of argument variables, name=[def]
  #
! if [ -f /tmp/$$a ]; then
! . /tmp/$$a
      fi

  #
--- 1033,1043 ----
  #
  # Source the file of argument variables, name=[def]
  #
! #if [ -f /tmp/$$a ]; then
! # . /tmp/$$a
! #fi
! if [ -n "$EVAL_ASSIGNS" ]; then
! eval "$EVAL_ASSIGNS"
      fi

  #
***************
*** 1505,1510 ****
--- 1510,1516 ----
     ARCH=
      Arch='Undetermined'
      verbose=0
+ EVAL_ASSIGNS=
  #
  # Use a C entry point by default
  #
***************
*** 1698,1705 ****
              *[=\#]*)
                  lhs=`expr "$1" : '$[a-zA-Z0-9_]*$[=\#].*'`
                  rhs=`expr "$1" : '[a-zA-Z0-9_]*[=\#]$.*$$'`
! echo $lhs='"'$rhs'"' >> /tmp/$$a
! files_to_remove="$files_to_remove /tmp/$$a"
                  ;;
              *.c) # c source file.
                  cfiles='1'
--- 1704,1712 ----
              *[=\#]*)
                  lhs=`expr "$1" : '$[a-zA-Z0-9_]*$[=\#].*'`
                  rhs=`expr "$1" : '[a-zA-Z0-9_]*[=\#]$.*$$'`
! #echo $lhs='"'$rhs'"' >> /tmp/$$a
! #files_to_remove="$files_to_remove /tmp/$$a"
! EVAL_ASSIGNS="$EVAL_ASSIGNS$lhs="'"'"$rhs"'";'
                  ;;
              *.c) # c source file.
                  cfiles='1'

ADDITIONAL INFORMATION

The information has been provided by <mailto:psz@maths.usyd.edu.au> Paul
Szabo.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: support@securiteam.com: "[EXPL] zkfingerd Remote Exploit"
Previous message: support@securiteam.com: "[NT] Polycom Video Conference System Management Server Authentication Bypass Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[Full-Disclosure] Matlab /tmp usage
... MATLAB is "The Language of Technical Computing" ... matlab uses shell scripts to launch; ... The matlab script uses /tmp/$$a and may clobber it, allowing an attacker ... It might be argued that it is hard to guess what PID will be used next. ...
(Full-Disclosure)
Matlab /tmp usage
... MATLAB is "The Language of Technical Computing" ... matlab uses shell scripts to launch; ... The matlab script uses /tmp/$$a and may clobber it, allowing an attacker ... It might be argued that it is hard to guess what PID will be used next. ...
(Bugtraq)
Re: program for pid algorithm
... > controller.i want to write a program in matlab for pid algorithm. ... PID controller transfer function is ... We had a text book which has Matlab code that shows how to do this, ...
(comp.soft-sys.matlab)
Re: scritpts vs functions
... It seems that Matlab passes variables by reference, ... As far as exexcution speed for functions versus scripts, ... You can use tic and toc to determine the ...
(comp.soft-sys.matlab)
Re: shell script to detect if the process is runiing
... > Shell scripts are good, ... > scripts as the C shell makes programming difficult. ... But it doesn't recognize RUN command. ... The RUN command command is a Matlab ...
(comp.unix.shell)