Bugzilla – Bug 1200381
VUL-0: CVE-2022-48682: fdupes: TOCTOU race allows arbitrary file deletion
Last modified: 2024-06-20 14:01:10 UTC
fdupes [1] can be tricked into deleting arbitrary system files by exploiting a TOCTOU race condition in `fdupes.c` when it's executed as root, operating on a folder controlled by an unprivileged user. [1] https://github.com/adrianlopezroche/fdupes
Created attachment 859510 [details] poc-fdupes-file-deletion.c Reproducer gcc -O2 -o poc-fdupes-file-deletion poc-fdupes-file-deletion.c usage: poc-fdupes-file-deletion USERDIR TARGETFILE USERDIR must be writable for the current user. TARGETFILE must be readable for the current user. The target file will be deleted when root executes `fdupes -r -d -N USERDIR`.
fdupes.c [1] contains a file system race condition between grokdir() and deletefiles() that can be exploited to make it follow symlinks, and under special circumstances to delete arbitrary files outside the scanned directory. When fdupes is instructed to delete duplicates, it first scans the destination directory recursively, while ignoring symlinks. Later on, deletefiles() operates on the metadata gathered by grokdir(). Critically, deletefiles() assumes the file system contents has not been altered in the meantime. A malicious user can win the race by monitoring the directory with inotify(7) and replace a subdirectory with a symlink at the right time. The time to win this race is very short and would often fail. This issue is solved by creating a "tar pit" directory tree that keeps fdupes busy while we place the symlink. Approx. 1000 subdirectories were found to be sufficient in this case. In the special case of a privileged user running `fdupes -r -d -N` on a directory with subdirectories writable to an unprivileged malicious user, it is possible to delete arbitrary files on the system. Scenario: - Privileged user executes: fdupes -r -d -N $USERDIR - Malicious user, with write a access to a subdirectory in USERDIR, wants to delete TARGETFILE, which they have read access to, e.g. `/etc/passwd`. Process: Set up a directory structure with 2 copies of TARGETFILE, one of which must have an mtime older than the original. We also need the aforementioned "tar pit": ``` userdir/ └── workdir.123456789/ ├── redherring/ │ └── TARGETNAME (copy of TARGETFILE with mtime < original) └── bait/ ├── TARGETNAME (copy of TARGETFILE) └── tarpit ├── 0 ├── 1 ├── … └── 999 ``` Now wait until bait/ is accessed and replace it with a symlink to the directory containing TARGETFILE. fdupes will delete TARGETFILE. [1] https://github.com/adrianlopezroche/fdupes/blob/4b6bcde1b3eb1cebe87cd30814f7d6cf4ee46e95/fdupes.c
Still waiting for upstream to respond.
The issue has been confirmed by upstream and a solution is underway.
Upstream fix: https://github.com/adrianlopezroche/fdupes/commit/85680897148f1ac33b55418e00334116e419717f
6.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H
Fixed in upstream release 2.2.0 openSUSE:Factory Already fixed SUSE:SLE-12:Update Affected SUSE:SLE-15-SP4:Update Affected SLE-15-SP4 (fdupes-2.1.2) can be bumped to the latest version 2.3.0. There are no breaking changes, only bug fixes: https://github.com/adrianlopezroche/fdupes/blob/master/CHANGES
CVE-2022-48682 was assigned to this bug.
SUSE-RU-2024:1878-1: An update that has one fix can now be installed. Category: recommended (moderate) Bug References: 1200381 Maintenance Incident: [SUSE:Maintenance:33850](https://smelt.suse.de/incident/33850/) Sources used: SUSE Linux Enterprise High Performance Computing 12 SP5 (src): fdupes-1.61-8.3.1 SUSE Linux Enterprise Server 12 SP5 (src): fdupes-1.61-8.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): fdupes-1.61-8.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Perfect. Thanks for the submissions! Resolved!