michael orlitzky

CVE-2023-34204: imapsync unsafe /tmp usage

posted 2023-05-30

Product

imapsync

Versions affected

2.229 and earlier (all recent)

Published on

2023-05-30

Bug report

https://github.com/imapsync/imapsync/issues/399

MITRE

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34204

Summary

imapsync uses predictable paths under /tmp and /var/tmp in its default mode of operation. Both of these are typically world-writable, leading to well-known exploits. In particular, an attacker can modify imapsync's cache and overwrite files belonging to the user who runs it.

Details

imapsync uses a temporary directory that defaults to /tmp with a recommended alternative of /var/tmp:

user $ imapsync --help

...

--tmpdir str : Where to store temporary files and sub-

directories. Will be created if it doesn't

exist. Default is system specific, Unix is

/tmp but /tmp is often too small and deleted

at reboot. --tmpdir /var/tmp should be better.

Both of these are typically world-writable. This becomes dangerous when imapsync uses predictable names within that temporary directory. The first such instance is its PID filename,

user $ imapsync --help

...

--pidfile str : The file where imapsync pid is written,

it can be dirname/filename complete path.

The default name is imapsync.pid in tmpdir.

To exploit this on a system without fs.protected_symlinks=1, an attacker can place a symlink at /tmp/imapsync.pid pointing to a sensitive file that belongs to the imapsync user. When imapsync is run, that file will be overwritten. A similar vulnerability exists with hardlinks in the absence of (nonstandard!) kernel hardening measures.

The other predictable temporary name is the location of imapsync's cache:

my $cache_base = "$sync->{ tmpdir }/imapsync_cache/" ;

An attacker can create that directory before imapsync is run. When it is run, the attacker will have full access to the cache, allowing him to modify messages or perpetrate other mischief.

Finally, the two paths

Readonly my $CGI_TMPDIR_TOP => '/var/tmp/imapsync_cgi' ;
Readonly my $CGI_HASHFILE   => '/var/tmp/imapsync_hash' ;

are hard-coded under /var/tmp, which shares the same risks as /tmp. These only affect imapsync when it is run as a CGI script. These were not evaluated, but are likely vulnerable to the same type of attack.

Resolution

The issue has not yet been fixed in imapsync. To work around it, specify a temporary directory that is writable only by the user running imapsync. For example,

user $ mkdir $HOME/tmp

user $ imapsync --tmpdir=$HOME/tmp --host1 mail.example.com [etc.]

If you're on Linux, it would also be wise to set the following sysctl variables—usually in /etc/sysctl.conf:

fs.protected_fifos = 2
fs.protected_regular = 2
fs.protected_symlinks = 1
fs.protected_hardlinks = 1