 K McAleavey
Premium Member
join:2003-11-12
Voorheesville, NY |
to antdude
Re: XKCD on Adobe Updaterssaid by antdude:»www.xkcd.com/1197/
Don't forget to hover your mouse cursor over the comic strip for hidden messages from our other favorite software. 
Better yet - for those using Linux or BSD, they stopped updating at all back in version 11.2. Aside from what they call "security-only updates" which somehow don't seem to be happening. If it weren't for the way our thing is designed, emulating Linux rather than running the real thing along with our lockbox, folks would be pretty boned with the way Adobe is doing things lately. But no problem for us, no more updates required. I'm personally fond of their earlier 10.x versions which still let you make a copy from the /tmp folder if something's worth keeping.  But that xkcd is *so* correct. |
|
| |
MeDuZa
Member
2013-Apr-10 5:43 am
said by K McAleavey:I'm personally fond of their earlier 10.x versions which still let you make a copy from the /tmp folder if something's worth keeping. Works great with 10.3r183 Didn't try with the latest though. |
|
|
K McAleavey
Premium Member
join:2003-11-12
Voorheesville, NY |
said by MeDuZa:said by K McAleavey:I'm personally fond of their earlier 10.x versions which still let you make a copy from the /tmp folder if something's worth keeping. Works great with 10.3r183 Didn't try with the latest though. As of their 11 versions, they now open a file handle to /tmp and then immediately close it but retain the handle after closing it to write "invisibly" to the file system. Downside of this stupidity is that if Flash crashes, the inodes don't get released and your free space gets smaller and smaller with time.  "Use after free" is very bad security, but it makes Hollywood happy. |
|
dave
Premium Member
join:2000-05-04
not in ohio |
dave
Premium Member
2013-Apr-10 8:35 pm
What operating system allows use of a closed handle? |
|
K McAleavey
Premium Member
join:2003-11-12
Voorheesville, NY |
|
|
| |
Not familiar with intricacies of Linux... But why can't Linux do the same behavior as Windows and lock the file that's been used temporarily? Seems like that would be a fundamental behavior for any modern OS. Or can it, but Adobe is being sloppy and not using such a feature? |
|
K McAleavey
Premium Member
join:2003-11-12
Voorheesville, NY |
said by SpHeRe31459:Not familiar with intricacies of Linux... But why can't Linux do the same behavior as Windows and lock the file that's been used temporarily? Seems like that would be a fundamental behavior for any modern OS. Or can it, but Adobe is being sloppy and not using such a feature?
Unix, and "unix-like" systems like Linux provide much finer grain locking capabilities not only on whole files, but on individual records. Large databases for instance depend on this in order to prevent race conditions and even nastier outcomes. Linux' file-locking primitives are simpler and more like Windows whereas the BSD world we live in provides a far greater number of variations that can get quite complex to implement properly. For coders that live in Billyworld, I imagine it would be just to much to wrap their minds around which is probably why this ugly hack is how Adobe went about doing it. Rather than cause eyes to glaze over with the details though, I'll point to this wiki entry that does a fairly good job at explaining the differences: http://en.wikipedia.org/wiki/File_lockingIn BSD (which is what our KNOS was built on) stopping such silliness was pretty easy to accomplish as part of our overall lockdown. In Linux however, this method made life very easy for ne'er-do-wells since the /proc/fd stuff is open and accessible to anything. |
|
| |
I must say it's amazing (but I guess not totally surprising) that such a huge hole has been left open, and by (sloppy) design no less, with Flash on Linux. Has this been exploited in the wild? It seems such an easy target to exploit.
I'm afraid I've gotten way into the corporate Windows-based world and haven't done much with Linux in years. Been too busy trying to stay on top of Flash and Java, etc. patch management... |
|
salahx
join:2001-12-03
Saint Louis, MO |
to SpHeRe31459
Linux and Windows use very different locking schemes, due to different origins.Linux uses an advisory locking scheme (actually 2 of them - POSIX fcntl locks and BSD flock() locks), where Windows uses a mandatory locking scheme called "share reservation". The reason for the difference is Linux has it root in a multiuser system, whereas Windows has it root in a single user operating system - multi-user was added later but programs assumed they had exclusive access, so share reservation were added for compatibility.
There is interest of allowing Windows share reservation semantics under Linux, for the sake of remote filesystem (CIFS and NFS) as well as locally (WINE wants this) - Google O_DENY* for the latest update. One important issue to be hammered out is denial-of-service issues with mandatory locking.
The trick of opening a file and unlink()ing afterwards is a common trick used by many programs that want the file to be auto-deleted when there no more references to it. Windows won't let you delete in a file in use, but instead when the file is opened a "delete on close" flag can be set so Windows deletes the file when the last reference is dropped.
The ability to continue to use an unlink() file is in fact a vital one. Windows program can't a shared library in use - a restart is required. Under Linux, shared libraries can be updating by deleting the old one then replacing it with the updated one. Programs that still have the old library open will continue to use it, whereas programs started afterwards will use the new library.
In general under Unix type system the file is actually the inode, the name is simply a convenience for humans, much like how DNS works for IP. In fact, files under Unix can even have multiple names via hardlinks! |
|
| |
Thanks for the info. Gotta get my Windows centric brain expanded back into the world of *nix sometime soon. |
|
dave
Premium Member
join:2000-05-04
not in ohio
4 edits |
to K McAleavey
said by K McAleavey:You can read about how it works here The first link makes it clear that you can't access the file through a handle (aka file descriptor) that you have closed. There's no such thing as retaining use of a file handle after you've closed it. It's a contradiction in terms. What is going on is that the file is unlinked while open, so that the still-open file handle is the only way to access it. quote:
The Adobe plugin creates a secure temporary file — the typical way to do this is to (a) create a file, (b) open a file descriptor to it, (c) unlink (delete) the file. As long as the file descriptor remains open, the file will be fine. But once the file descriptor is closed, the bytes are free to be overwritten by the filesystem. The last step of unlinking is in an attempt to limit other programs from accessing the file.
(My emphasis) lsof will surely tell you the same thing. ~ $ rm /tmp/dave-test
~ $ ls /tmp/dave-test
ls: /tmp/dave-test: No such file or directory
~ $ lsof | grep dave-test
lsof: WARNING: can't stat() nfs file system /.automount/nfshome/users
Output information may be incomplete.
cp 9728 dave 4w REG 8,1 16 817642 /tmp/dave-test (deleted)
Maybe you're using "file handle" in some different way? The stuff about /proc/fd is interesing though, it appears from the description to be a way to get new file descriptors to the file. But that's surely protected so that only root and the owner have access? I'll have to mess around and find out. If not, the hole lies in procfs, not the Flash app. Here's the basic access: ~ $ cat /proc/9728/fd/4
hello world
So, what's going in here, in my estimation, is that procfs creates what amounts to an alternative path to the file (it's not really a symlink though procfs pretends it is). Thus Flash thinks it has removed all existing pathnames, but it has not done so. I'm still not seeing the security hole in this though. The 'link' permits only owner access. I see no ugly hack either. The approach of opening a file and then immediately deleting it is a solid programming technique. It reduces the chance of unexpected name collisions (though a good random namer can avoid that) and it avoids leaving junk files around even in the case that the process terminates without doing the unlink, e.g. if ^C'd or aborted. So, in that regard, I disagree with your claim that the inode won't be released if Flash crashes. The kernel closes the fd on process exit, the ref count on the inode goes to zero, and the file is deleted. The only wrongthinkful approach here is to presume it makes a file 'secure' - because all we've done is to obscure its (previous) name. |
|
|
 mackey
Premium Member
join:2007-08-20 |
mackey
Premium Member
2013-Apr-12 1:49 am
said by dave:So, in that regard, I disagree with your claim that the inode won't be released if Flash crashes. The kernel closes the fd on process exit, the ref count on the inode goes to zero, and the file is deleted. You're assuming the crash does not bring down the entire system. I've experienced too many crashes which result in a kernel panic or a hung system necessitating a reboot to trust this method. It's a moot point for me however, at least with regards to Flash - with Youtube supporting HTML5 video and KeepVid for those few videos which don't play, I no longer have Flash installed at all. If a website requires Flash to work at all, well, they just lost a visitor. /M |
|
K McAleavey
Premium Member
join:2003-11-12
Voorheesville, NY |
to dave
Thanks for the details! I have to admit since I'm in the BSD world, I don't follow Linux much anymore. I piped off that ship before I piped off Billyware, and wanted to avoid getting "too geeky" here. In KNOS, we have the BSD "Linuxulator" which emulates Linux in a similar manner to WINE for emulating Windows. We don't permit Linuxy things in our house for security reasons. Therefore, in what I'm explaining, I'm paraphrasing what I am told by folks who deal with Linux security in a similar manner to how we knew Winblows inside and out back in our BOClean days. In order to try to keep it simple, I used the term "handle" since many are familiar with that concept in Windows. My UNDERSTANDING of the security issue rests in how Linux allows "pointers to file descriptors" to live after the actual file descriptor itself is gone, and since the pointer still points to a physical inode, it can hold the inode "privately" which means that any other process cannot fix the association and yet the kernel will not allow access to that inode pointer until that is released by the process which is holding that pointer open. What I'm told is that this method is how malware in Linux can for example "hold" an injected file while preventing any access to it whatsoever from outside of the rogue process. In other words, a behavior similar to a rootkit in being able to hold onto data on the disk privately. However this works at the kernel level in Linux, the file descriptors no longer exist for sniffing, but the inode itself is somehow marked as not available. That's how analysts first tracking down a partcular piece of malware got the idea of looking further for why certain "free inodes" could neither be read nor written to. So that's where I got that little bit from. As to how Adobe's "obfuscation" works, this little exercise explains it: Adobe obfuscated the /tmp file method several updates ago. The flash
plugin still creates a /tmp file, but it immediately removes the file
link causing any "ls /tmp" calls to not see a file. You can still get
the file data through /proc.
$ ps -ef | grep plugin
# copy the PID of flash ($PID)
$ ls -l /proc/$PID/fd
# find the /tmp/flashXXXXXX file symlink ($FD)
$ cp -p /proc/$PID/fd/$FD /home/foo/flash.flvI'm told that the above no longer works reliably as they've managed to find some even deeper levels of intrigue since in the latest Linux versions. But the chain of events I was describing are detailed a little further in these two links: http://saylinux.net/story/009736/how-obtain-flash-videos-firefox-4http://stackoverflow.com/questions/12337122/difference-between-creating-a-duplicate-file-descriptor-using-dup-and-creatingSuffice it to say that at least in our own BSD realm, none of this is allowed because we only emulate Linux. But the reason why we developed KNOS was because Windows had created too many hiding places, and I find it a bit disturbing that Linux is apparently creating catacombs too. And yes, I consider any method of hiding things a "dirty hack" ... they could have gone about coding it in a way that would allow the file(s) to remain visible and lock them properly, and cleaning up properly after they were done. |
|
dave
Premium Member
join:2000-05-04
not in ohio |
to mackey
said by mackey:You're assuming the crash does not bring down the entire system. Sure, but lost disk space (until the next time a scavenger program gets run) is a hazard of system crashes in general. If there's no time to sync the disks, then the on-disk structures are likely stale. But Unixalike systems are uniformly so great that no userland crash ever brings down the kernel, right? |
|
