CWE-379: Creation of Temporary File in Directory with Incorrect Permissions
Creation of Temporary File in Directory with Incorrect Permissions
Weakness ID: 379 (Weakness Base)
Status: Incomplete
Description
Description Summary
The software creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.
Extended Description
On some operating systems, the fact that the temporary file exists may be apparent to any user with sufficient privileges to access that directory. Since the file is visible, the application that is using the temporary file could be known. If one has access to list the processes on the system, the attacker has gained information about what the user is doing at that time. By correlating this with the applications the user is running, an attacker could potentially discover what a user's actions are. From this, higher levels of security could be breached.
Time of Introduction
Architecture and Design
Implementation
Applicable Platforms
Languages
All
Common Consequences
Scope
Effect
Confidentiality
Technical Impact: Read application
data
Since the file is visible and the application which is using the temp
file could be known, the attacker has gained information about what the
user is doing at that time.
Likelihood of Exploit
Low
Demonstrative Examples
Example 1
In the following code examples a temporary file is created and
written to and after using the temporary file the file is closed and deleted
from the file system.
(Bad Code)
Example Languages: C and C++
FILE *stream;
if( (stream = tmpfile()) == NULL ) {
perror("Could not open new temporary file\n");
return (-1);
}
// write data to tmp file
...
// remove tmp file
rmtmp();
However, within this C/C++ code the method tmpfile() is used to create
and open the temp file. The tmpfile() method works the same way as the
fopen() method would with read/write permission, allowing attackers to
read potentially sensitive information contained in the temp file or
modify the contents of the file.
BufferedWriter out = new BufferedWriter(new
FileWriter(temp));
out.write("aString");
out.close();
}
catch (IOException e) {
}
Similarly, the createTempFile() method used in the Java code creates a
temp file that may be readable and writable to all users.
Additionally both methods used above place the file into a default
directory. On UNIX systems the default directory is usually "/tmp" or
"/var/tmp" and on Windows systems the default directory is usually
"C:\\Windows\\Temp", which may be easily accessible to attackers,
possibly enabling them to read and modify the contents of the temp
file.
Potential Mitigations
Phase: Requirements
Many contemporary languages have functions which properly handle this
condition. Older C temp file functions are especially
susceptible.
Phase: Implementation
Try to store sensitive tempfiles in a directory which is not world
readable -- i.e., per-user directories.
Ensure that file operations are performed in a secure
directory
CERT C Secure Coding
FIO43-C
Do not create temporary files in shared
directories
CERT C++ Secure Coding
FIO15-CPP
Ensure that file operations are performed in a secure
directory
CERT C++ Secure Coding
FIO43-CPP
Do not create temporary files in shared
directories
References
[REF-7] Mark Dowd, John McDonald
and Justin Schuh. "The Art of Software Security Assessment". Chapter 9, "Temporary Files", Page 538.. 1st Edition. Addison Wesley. 2006.
Description
