Creating and using insecure temporary files can leave application and system data vulnerable to attacks.
Applications require temporary files so frequently that many different mechanisms exist for creating them in the C Library and Windows(R) API. Most of these functions are vulnerable to various forms of attacks.
Example: The following code uses a temporary file for storing intermediate data gathered from the network before it is processed.
...
if (tmpnam_r(filename)){
FILE* tmp = fopen(filename,"wb+");
while((recv(sock,recvbuf,DATA_SIZE, 0) > 0)&&(amt!=0))
amt = fwrite(recvbuf,1,DATA_SIZE,tmp);
}
...
tmpnam()
, tempnam()
, mktemp()
and their C++ equivalents prefaced with an _
(underscore) as well as the GetTempFileName()
function from the Windows API. This group of functions suffers from an underlying race condition on the filename chosen. Although the functions guarantee that the filename is unique at the time it is selected, there is no mechanism to prevent another process or an attacker from creating a file with the same name after it is selected but before the application attempts to open the file. Beyond the risk of a legitimate collision caused by another call to the same function, there is a high probability that an attacker will be able to create a malicious collision because the filenames generated by these functions are not sufficiently randomized to make them difficult to guess. open()
using the O_CREAT
and O_EXCL
flags or to CreateFile()
using the CREATE_NEW
attribute, which will fail if the file already exists and therefore prevent the types of attacks described above. However, if an attacker is able to accurately predict a sequence of temporary file names, then the application may be prevented from opening necessary temporary storage causing a denial of service (DoS) attack. This type of attack would not be difficult to mount given the small amount of randomness used in the selection of the filenames generated by these functions. tmpfile()
and its C++ equivalents prefaced with an _
(underscore), as well as the slightly better-behaved C Library function mkstemp()
.tmpfile()
style functions construct a unique filename and open it in the same way that fopen()
would if passed the flags "wb+"
, that is, as a binary file in read/write mode. If the file already exists, tmpfile()
will truncate it to size zero, possibly in an attempt to assuage the security concerns mentioned earlier regarding the race condition that exists between the selection of a supposedly unique filename and the subsequent opening of the selected file. However, this behavior clearly does not solve the function's security problems. First, an attacker can pre-create the file with relaxed access-permissions that will likely be retained by the file opened by tmpfile()
. Furthermore, on Unix based systems if the attacker pre-creates the file as a link to another important file, the application may use its possibly elevated permissions to truncate that file, thereby doing damage on behalf of the attacker. Finally, if tmpfile()
does create a new file, the access permissions applied to that file will vary from one operating system to another, which can leave application data vulnerable even if an attacker is unable to predict the filename to be used in advance. mkstemp()
is a reasonably safe way to create temporary files. It will attempt to create and open a unique file based on a filename template provided by the user combined with a series of randomly generated characters. If it is unable to create such a file, it will fail and return -1
. On modern systems the file is opened using mode 0600
, which means the file will be secure from tampering unless the user explicitly changes its access permissions. However, mkstemp()
still suffers from the use of predictable file names and can leave an application vulnerable to denial of service attacks if an attacker causes mkstemp()
to fail by predicting and pre-creating the filenames to be used.
[1] .NET System.Security.Cryptography: Random Number Generation Microsoft
[2] BeeCrypt
[3] Crypt++
[4] CryptLib
[5] CryptoAPI: CryptGenRandom() Microsoft
[6] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 377
[7] OpenSSL
[8] RtlGenRandom() Microsoft
[9] B. Schneier Yarrow: A secure pseudorandom number generator