COMMAND

    Tripwire

SYSTEMS AFFECTED

    Tripwire 2.2.1, tripwire 2.3.0 (and tripwire-ASR-1.3.1)

PROBLEM

    Jarno  Huuskonen  found  following.   He  tested the vulnerability
    only on Linux, so he can't confirm if other platforms or  versions
    are affected or not (but we believe that versions <2.4 are).

    Tripwire  opens/creates  temporary  files  insecurely.    Insecure
    temporary files are created at least when scanning the  filesystem
    and updating tripwire database.

    Tripwire  opens/creates  temporary  files  in  /tmp without O_EXCL
    flag.   These   temporary  filenames  are   created  with   mktemp
    systemcall.  This makes it possible for a local user to  overwrite
    files with root (user running tripwire) permissions.

    Jarnofound out about the problem when he noticed a temporary  file
    /tmp/twtempa19212  left  in  /tmp.   Out  of  curiosity he ran the
    tripwire binary with  strace and noticed  that temporary files  in
    /tmp are opened without the O_EXCL flag.

    After that  he looked  at the  tripwire sources  and confirmed the
    problem.  (See e.g. core/archive.cpp, core/unix/unixfsservices.cpp
    and tw/textreportviewer.cpp).

    Insecure files are created at least when running:
    - tripwire --check
    - tripwire --update -r reportdir/reportfile
    - tripwire --check --email-report

    Tripwire-2.2.1 for Linux (the binary version available from  seems
    to be the easiest to exploit because it is statically linked  with
    mktemp that  uses the  PID of  tripwire for  creating the 'unique'
    filename.   In  all  of  tests  with  this  version  the temporary
    filename was /tmp/twtempaPID.

    On the older versions of  tripwire, and likely before this  patch,
    the  easiest  exploit  was  to  symlink  the  temporary   tripwire
    database back to  the original tripwire  database it was  using to
    test against.  If you  raced it properly, it would  cause tripwire
    not to see any changes at all.

SOLUTION

    Install fixed tripwire and use the new TEMPDIRECTORY configuration
    option so tripwire can use only root writable temporary  directory
    (e.g. /root/tmp).

    Note:  tripwire-2.3.1-2  (from  sourceforge)  still has one unsafe
    temporary  file  open  (see  tripwire-2.3.1-2/src/core/archive.cpp
    cLockedTemporaryFileArchive::OpenReadWrite).

    It appears  possible to  patch binary  tripwire (2.2.1)  to create
    temporary files in a directory other  than /tmp.  To do this  edit
    the tripwire binaries: siggen, tripwire, twadmin and twprint,  and
    replace  the  twtempXXXXXX  strings  with  e.g. tw/tmpXXXXXX.  Now
    tripwire  creates  temporary  files  in  /tmp/tw  directory   (The
    /tmp/tw directory  should be  owned by  root and  writable only by
    root).  Note:  If you're going to edit the binaries do it at  your
    own risk AND read the tripwire license before doing so! (and  only
    if you can't get an updated tripwire).