michael orlitzky

CVE-2020-35766: OpenDKIM unsafe /tmp usage

posted 2020-12-28

Product
OpenDKIM
Versions affected
2.10.3 and earlier
Published on
2020-12-28
Author
Michael Orlitzky
Bug report
https://github.com/trusteddomainproject/OpenDKIM/issues/113
MITRE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35766

Summary

The OpenDKIM test suite relies on a fixed path under the world-writable /tmp for its temporary keys. The dangers of this are well-known. An attacker can exploit the situation to overwrite files belonging to the user who runs the test suite.

Details

The libopendkim portion of the OpenDKIM test suite uses a set of temporary keys to test itself. The temporary keys are created in libopendkim/tests/t-setup.c, which is intended to be the first test executed by the suite:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#include "t-testdata.h"
...
  f = fopen(KEYFILE, "w");
  assert(f != NULL);

  fprintf(f, "%s.%s.%s ", SELECTOR, DKIM_DNSKEYNAME, DOMAIN);
  for (p = PUBLICKEY; *p != '\0'; p++)
  {
    if (*p != '\n')
      putc(*p, f);
  }
  fprintf(f, "\n");
  ...
  fclose(f);

The corresponding KEYFILE path is defined in libopendkim/tests/t-testdata.h,

1
#define	KEYFILE        "/tmp/testkeys"

That path is generally world-writable, and is public knowledge because it's written down right there in that file. As a result, an attacker can hijack the KEYFILE path before the test suite is run, causing the “setup” test to overwrite a file belonging to someone else. For example, any user can symlink /tmp/testkeys to /etc/passwd. If the OpenDKIM test suite is later run as root, the system's password file will be overwritten with garbage.

Workaround

Until the issue is fixed, users can edit libopendkim/tests/t-testdata.h and replace /tmp with a directory that is only writable by the user building the software. OpenDKIM's own build directory might suffice.