--Apple-Mail-12--224077411 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Dear Tim, Please issue a statement retracting your "security vulnerability" CV2-2007-2056. Your alleged vulnerability in aimage is not a bug because the function getlock() is never called. Although I appreciate the fact that you have done a security audit on my code, many of the bugs that you identified as "security vulnerabilities" were not vulnerabilities because there was no way to exploit them. And in this case, you have merely identified a bug in code that is not even callable. I understand that it's exciting to get your name out there as a "security researcher," but I think that there are better targets from which to choose. Sincerely, Simson Garfinkel Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=- Advisory Name: Time-of-Check-Time-of-Use File Race in AFFLIB Release Date: 2007-04-27 Application: AFFLIB(TM) Versions: 2.2.0-2.2.8 and likely earlier versions. Severity: Low Author: Timothy D. Morgan <tmorgan {at} vsecurity {dot} com> Vendor Status: Vendor Notified CVE Candidate: CVE-2007-2056 Reference: http://www.vsecurity.com/bulletins/advisories/2007/afflib- toctou.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=- Product Description: > From the forensicswiki.org website[1]: "The Advanced Forensics Format (AFF) is an extensible open format for the storage of disk images and related forensic metadata. It was developed by Simson Garfinkel and Basis Technology." AFFLIB(TM) is the reference implementation of the AFF(TM) format, written primarily by Simson Garfinkel. It comes in the form of an open source library and a set of command line tools used to manipulate AFF(TM) files. Vulnerability Overview: In mid-March, 2007 Virtual Security Research, LLC (VSR) performed a security code review of AFFLIB(TM) as a part of an internal tool assessment process. As a result, multiple vulnerabilities of varying severities were discovered. The most significant of these vulnerabilities are being announced publicly to raise awareness and help end-users secure themselves against potential attack. A time-of-check-time-of-use race was discovered in AFFLIB(TM) which could allow an attacker on the local machine to overwrite an arbitrary file. Because the content of the file would not be controllable by an attacker, it is unlikely that this is vulnerability is exploitable for more than a denial-of-service. This vulnerability remains in the latest version (2.2.8) despite several notifications to the vendor. All line numbers listed below are from version 2.2.0. Vulnerability Details: File: aimage/aimage.cpp Lines: 554-575 Platforms Affected: Unix Description: A mostly predictable name for the lockfile as it is created under /tmp. An access check is first performed, and later the file is opened, truncating if it already exists. Since the time of check and time of use are not the same, a filesystem race could be exploited by a local attacker through the use of a symlink. Lines 548-582 are included below to illustrate the problem: int getlock(class imager *im) { /* If the file exists and the PID in the file is running, * can't get the lock. */ char lockfile[MAXPATHLEN]; sprintf(lockfile,"/tmp/aimge.%s.lock",im->infile); if(access(lockfile,F_OK)==0){ /* Lockfile exists. Get it's pid */ char buf[1024]; FILE *f = fopen(lockfile,"r"); if(!f){ perror(lockfile); // can't read lockfile... return -1; } fgets(buf,sizeof(buf),f); buf[sizeof(buf)-1] = 0; int pid = atoi(buf); if(checkpid(pid)==0){ /* PID is not running; we can delete the lockfile */ if(unlink(lockfile)){ err(1,"could not delete lockfile %s: ",lockfile); } } /* PID is running; generate error */ errx(1,"%s is locked by process %d\n",im->infile,pid); } FILE *f = fopen(lockfile,"w"); if(!f){ err(1,lockfile); } fprintf(f,"%d\n",getpid()); // save our PID. fclose(f); return 0; } This is likely only exploitable for a denial-of-service condition, since the attacker would have little control over the content being written (the process ID of aimage). Vendor Response: Simson Garfinkel was first contacted on 2007-03-31. The following timeline outlines the responses from the vendor regarding this issue: 2007-04-01 - Vendor provided details of all vulnerabilities identified. 2007-04-03 - Continued vendor communication. 2007-04-05 - Vendor released version 2.2.6, containing multiple security fixes. 2007-04-06 - Vendor notified VSR that fixes were released. 2007-04-09 - VSR notified vendor that 9 vulnerability instances still remained in latest release. 2007-04-12 - Vendor confirmed that remaining vulnerabilities would be fixed in next release. 2007-04-25 - Vendor released versions 2.2.7 and 2.2.8. Vendor did not notify VSR. 2007-04-27 - VSR discovered new versions were released. VSR inspected version 2.2.8 and found that no additional vulnerabilities were fixed. VSR advisories published. Recommendation: AFFLIB(TM) users should upgrade to the newest version. Third-party projects which rely on AFFLIB(TM) should encourage users to upgrade, and/or incorporate fixes into their distribution of the library. The update is available via: http://www.afflib.org/downloads/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=- Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following name to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CVE-2007-2056 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=- References: 1. AFF - Forensics Wiki http://www.forensicswiki.org/wiki/AFF -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=- This advisory is distributed for educational purposes only, and comes with absolutely NO WARRANTY; not even the implied warranty of merchantability or fitness for a particular purpose. Virtual Security Research, LLC nor the author accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=- Vulnerability Disclosure Policy: http://www.vsecurity.com/disclosurepolicy.html -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=- AFF(TM) and AFFLIB(TM) are trademarks of Simson Garfinkel and Basis Technology Corp. Included source code excerpts are copyright Simson Garfinkel and Basis Technology Corp. This advisory is copyright (C) 2007 Virtual Security Research, LLC. All rights reserved. --Apple-Mail-12--224077411 Content-Transfer-Encoding: base64 Content-Type: application/pkcs7-signature; name=smime.p7s Content-Disposition: attachment; filename=smime.p7s MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGHzCCAtgw ggJBoAMCAQICEBgCHebBLTq+djK9kOtdSxIwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkEx JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA3MDMwMzE1NTUzNloXDTA4MDMwMjE1NTUz NlowQTEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEeMBwGCSqGSIb3DQEJARYPc2lt c29uZ0BhY20ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAySSNt3G/bdZAomYy zxJ/06Ubxbz6xCHNM+sc1ZhpU1PAMQoGQ8atMbj9C6KJg82noN1z0m1xdAsJ741TZPHo/ydPKLMg F2VZDHSJj83e4/9+pROoDBMsrVWSU0aaKOYAQ1Xd6GRQUO8pXTevlXGTfqga5zxRXERiNL02JMOC 0s7qInb4x4Chz8WrzksKR8e17ZDRBtlOx+DCyKF4GtKePXqKzL/XEj57IT9kWeGOqnID/PeRLvxK h9ssvWBL2XkBSCgTWnJdZ+3imgO+wZSxkgaMhd15CqTKRMEDO1YOn2TxwbCpbQ/XVuGRjDW1TEcB zIwvSywbRLZqBgEsjr9Z5QIDAQABoywwKjAaBgNVHREEEzARgQ9zaW1zb25nQGFjbS5vcmcwDAYD VR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQCw8moTzrra6HSQfbuaQ+iYb4ghsaqKdQlvrPVa XX5i4G8uH5PzscQIBMQKMXuSwlELfSzRD70oF7QSTwJfcIigpg9hOdMgHlDLsgPO+bjjuFFs0cfk KHYOnwxDFo+tAs28SrxupC2bEvLJElCbYjqKBca1Rj8HlgxVqdAc7tE/TTCCAz8wggKooAMCAQIC AQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUx EjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsT H0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25h bCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNv bTAeFw0wMzA3MTcwMDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQK ExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwg RnJlZW1haWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065 yplaHmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FW y688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEEQB5k GXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0 dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1UdDwQE AwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJKoZIhvcN AQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A9BxQIJNwPP2t 4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYITq726jTlEBpb NU1341YheILcIRk13iSx0x1G/11fZU8xggMQMIIDDAIBATB2MGIxCzAJBgNVBAYTAlpBMSUwIwYD VQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29u YWwgRnJlZW1haWwgSXNzdWluZyBDQQIQGAId5sEtOr52Mr2Q611LEjAJBgUrDgMCGgUAoIIBbzAY BgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNzA0MjgyMjI1MDJaMCMG CSqGSIb3DQEJBDEWBBRoPRYqIaTRREUmNMGUZDPV64FoSDCBhQYJKwYBBAGCNxAEMXgwdjBiMQsw CQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UE AxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEBgCHebBLTq+djK9kOtdSxIw gYcGCyqGSIb3DQEJEAILMXigdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1 bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vp bmcgQ0ECEBgCHebBLTq+djK9kOtdSxIwDQYJKoZIhvcNAQEBBQAEggEAWY2oV7645p59XcbWOd9B Kuh9t0UaGRYBB9w3rpMYFmk9hM29jsy6guZzIKNwuHY2pRqrCmjs3qQJGA8dJnXUtFF7OE5i160P uRkAaYyVEY8Owe8/DPXT1VwlIUpyOmXeQtn8/tFrKciTYviu6SEMD6osXHCtdQpeSxdLuWchWc6k FOSWAnOGIwmDb14wQFJpUkpwWRsyHrV82ZshtpwNT+3ZXV2URhn7BzA06sVJ5ePL9PmSiywu/YP1 //TsUYydX/XXS9424NAQ1qPMxCgdmvceR7STn6O0ou2yh9yKz9+n5tbk9xeiL/FWIt9bMcSFqWbP pFvv/eu7X7MiXIAxngAAAAAAAA== --Apple-Mail-12--224077411--