Spotting /tmp related vulnerabilities with TmpWatcher

Did you know that misuse of the /tmp directory is one of the most common security flaws? If you search mitre for the keyword “tmp”, you’ll find a plethora of vulnerabilities (529 at the time of this writing). Because /tmp is a world-writable directory, applications need to be very careful about how they create and use files in /tmp. Unfortunately, many developers are unaware that improper use of /tmp can lead to symlink race, TOCTOU, information disclosure, privilege escalation, and denial-of-service vulnerabilities.

Simple solution to a complex problem

There are many open source projects that continue to use /tmp in an unsafe way. As members of the open source community, we have the opportunity to find and report these types of vulnerabilities. In order to discover more vulnerabilities in less time, TmpWatcher was created. TmpWatcher watches for misuse of the `/tmp` directory, which can lead to many different kinds of security vulnerabilities.

There are two ways to find vulnerabilities caused by the misuse of /tmp. The first is to read source code and search for code that creates files in /tmp. By evaluating this code, you can determine whether or not temporary files are created safely. This approach has the drawback of being somewhat time-consuming. The second way to find these vulnerabilities is to develop a heuristic that will identify unsafe usage of /tmp at runtime. TmpWatcher takes the latter approach.

An efficient way to spot vulnerabilities

One of the most exciting things about open source software is that it gives everyone the opportunity to contribute. A great way to contribute to open source projects is by discovering and reporting security vulnerabilities. TmpWatcher monitors /tmp in real time and watches for files or directories with world-writable permissions (o+w). When files with insecure permissions in /tmp are detected, an alert is logged. As you go about your daily activities, you’ll be notified if an application you’re using makes unsafe use of /tmp. You can take note of what application you were using at the time of the alert and, at your leisure, investigate the alert and report it to the application’s developers.

Get it working

Using TmpWatcher is as easy as installing the tmpwatcher snap and running it:

$ sudo snap install tmpwatcher
$ tmpwatcher

You can test that tmpwatcher is working properly by creating a directory with world-writable permissions in /tmp:

$ mkdir --mode=0777 /tmp/test_dir

In some cases, a user’s umask will help to mitigate potential vulnerabilities caused by unsafe usage of /tmp. On Ubuntu, for example, the default umask is 002, which will cause o+w bit to be unset. As a result, potential vulnerabilities may fly under TmpWatcher’s radar. To combat this, you can cast a wider net if you invoke TmpWatcher with the --perms-mask argument.

$ tmpwatcher --perms-mask 077

TmpWatcher provides a number of options which allow you to watch directories other than /tmp, watch directories recursively, specify a config file, and run as a daemon. In addition, TmpWatcher can be configured to send alerts to a syslog server so that alerts from multiple systems can all be viewed in one place.

Are you interested in vulnerability research? Are you a software developer who wants to check their software for misuse of the /tmp directory? Give TmpWatcher a try!

For more information about TmpWatcher, see TmpWatcher’s home page on github or check it out in the snap store.