================================ rpdump TOCTOU file-permissions vulnerability ================================ Software: rpdump (part of the Pine mail package) Version: Pine 4.62 Software URL: <http://www.washington.edu/pine/> Platform: Unix, Linux. Vulnerability type: Time-of-Check-Time-Of-Use Severity: Low Attacker requires: local user account, write access to directory rpdump used in (directories with sticky bits such as /tmp are vulnerable). Attack result: over-writing of arbitary file belonging to user Vulnerable software ==================== rpdump included with Pine 4.62 and previous versions running on unix. Vulnerability ============== rpdump checks the local file it is creating doesn't already exist using the following code in rcdump.c: if(access(local, ACCESS_EXISTS) == 0){ if(access(local, WRITE_ACCESS) == 0){ sprintf(buf, "Local file \"%.20s\" exists, overwrite it", (p = last_cmpnt(local)) ? p : local); if(wantto(buf, 'n', 'n') != 'y'){ fprintf(stderr, "Dump cancelled\n"); exit(-1); } } else{ fprintf(stderr, "Local file \"%s\" is not writable\n", local); exit(-1); } } However it then engages in network operations to access remote files on an IMAP server before eventually calling fopen(local, "w"). This time-period presents an opportunity for an attacker to create a symbolic link that points to an arbitary file owned by the user which will then be overwritten. Workaround =========== Ensure that any directory which is the local destination for rpdump is only writeable by the user.
