Open
Bug 1290635
Opened 9 years ago
Updated 2 years ago
Insecure temporary files for child process crash-time metadata
Categories
(Toolkit :: Crash Reporting, defect)
Tracking
()
NEW
People
(Reporter: jld, Unassigned)
Details
(Keywords: csectype-priv-escalation, sec-low)
I noticed that, as a result of bug 1236108, when a child process crashes it tries to open a predictable filename in /tmp (GeckoChildCrash%d.extra with its pid) with the flags O_WRONLY|O_CREAT|O_TRUNC. In particular, O_EXCL is not used.
This means that if another user on the system creates a symlink there, Firefox will open an attacker-controlled file as the user running Firefox, truncate it to zero length, and then write (possibly empty) crash metadata to it.
This isn't the most severe form of this type of bug, because it requires the process to crash instead of just operate normally, and I don't know if it's currently possible for an attacker to usefully control any of the data written to this file.
Comment 1•9 years ago
|
||
It isn't clear what you'd do with this aside wiping out a file or something so I'm just marking it sec-audit. Feel free to adjust as desired.
Keywords: csectype-priv-escalation,
sec-audit
Updated•8 years ago
|
Group: toolkit-core-security
Comment 2•5 years ago
|
||
I could easily see this being able to delete a security-relevant dot-file in the user's home directory. e.g. known_hosts or .google_authenticator or similar.
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•