possible symlink attack in blender 2.5 #22509

New Issue

Paul Wise · 2010-06-05T08:25:30+02:00

Paul Wise commented

2010-06-05 08:25:30 +02:00

%%%Blender is subject to symlink attack when the user closes the app without saving their changes. The consequences are that an attacker determined file owned by the victim is overwritten with a .blend file, destroying whatever data was in the file in the process.

Version 2.49.2 isn't vulnerable to this attack since it uses ~/.blender/quit.blend instead of /tmp/quit.blend. I would suggest this behaviour be restored before Blender 2.5 is released.

pabs@chianamo:~$ sudo ln -s /home/pabs/foo /tmp/quit.blend
[sudo] password for pabs:
pabs@chianamo:~$ ls -l /tmp/quit.blend /home/pabs/foo
ls: cannot access /home/pabs/foo: No such file or directory
lrwxrwxrwx 1 root root 14 Jun 5 13:51 /tmp/quit.blend -> /home/pabs/foo
pabs@chianamo:~$ file /tmp/quit.blend /home/pabs/foo
/tmp/quit.blend: symbolic link to /home/pabs/foo' /home/pabs/fooo: ERROR: cannot open /home/pabs/foo' (No such file or directory)
pabs@chianamo:~$ blender
Ob 'Camera' - Successfully removed 0 keyframes
bpy stats - tot exec: 5728, tot run: 0.4375sec, average run: 0.000076sec, tot usage 1.4299%
Saved session recovery to /tmp/quit.blend

Blender quit
pabs@chianamo:~$ ls -l /tmp/quit.blend /home/pabs/foo

rw-r----- 1 pabs pabs 78K Jun 5 13:53 /home/pabs/foo
lrwxrwxrwx 1 root root 14 Jun 5 13:51 /tmp/quit.blend -> /home/pabs/foo
pabs@chianamo:~$ file /tmp/quit.blend /home/pabs/foo
/tmp/quit.blend: symbolic link to `/home/pabs/foo'
/home/pabs/foo: Blender3D, saved as 64-bits little endian with version 2.50.0007
pabs@chianamo:~$ echo foo > /home/pabs/foo
pabs@chianamo:~$ ls -l /tmp/quit.blend /home/pabs/foo
rw-r----- 1 pabs pabs 4 Jun 5 14:00 /home/pabs/foo
lrwxrwxrwx 1 root root 14 Jun 5 13:51 /tmp/quit.blend -> /home/pabs/foo
pabs@chianamo:~$ file /tmp/quit.blend /home/pabs/foo
/tmp/quit.blend: symbolic link to `/home/pabs/foo'
/home/pabs/foo: ASCII text
pabs@chianamo:~$ blender
bpy stats - tot exec: 648, tot run: 0.0677sec, average run: 0.000104sec, tot usage 0.4556%
Saved session recovery to /tmp/quit.blend

Blender quit
pabs@chianamo:~$ file /tmp/quit.blend /home/pabs/foo
/tmp/quit.blend: symbolic link to `/home/pabs/foo'
/home/pabs/foo: Blender3D, saved as 64-bits little endian with version 2.50.0007
%%%

%%%Blender is subject to symlink attack when the user closes the app without saving their changes. The consequences are that an attacker determined file owned by the victim is overwritten with a .blend file, destroying whatever data was in the file in the process. Version 2.49.2 isn't vulnerable to this attack since it uses ~/.blender/quit.blend instead of /tmp/quit.blend. I would suggest this behaviour be restored before Blender 2.5 is released. pabs@chianamo:~$ sudo ln -s /home/pabs/foo /tmp/quit.blend [sudo] password for pabs: pabs@chianamo:~$ ls -l /tmp/quit.blend /home/pabs/foo ls: cannot access /home/pabs/foo: No such file or directory lrwxrwxrwx 1 root root 14 Jun 5 13:51 /tmp/quit.blend -> /home/pabs/foo pabs@chianamo:~$ file /tmp/quit.blend /home/pabs/foo /tmp/quit.blend: symbolic link to `/home/pabs/foo' /home/pabs/fooo: ERROR: cannot open `/home/pabs/foo' (No such file or directory) pabs@chianamo:~$ blender Ob 'Camera' - Successfully removed 0 keyframes *bpy stats* - tot exec: 5728, tot run: 0.4375sec, average run: 0.000076sec, tot usage 1.4299% Saved session recovery to /tmp/quit.blend Blender quit pabs@chianamo:~$ ls -l /tmp/quit.blend /home/pabs/foo - rw-r----- 1 pabs pabs 78K Jun 5 13:53 /home/pabs/foo lrwxrwxrwx 1 root root 14 Jun 5 13:51 /tmp/quit.blend -> /home/pabs/foo pabs@chianamo:~$ file /tmp/quit.blend /home/pabs/foo /tmp/quit.blend: symbolic link to `/home/pabs/foo' /home/pabs/foo: Blender3D, saved as 64-bits little endian with version 2.50.0007 pabs@chianamo:~$ echo foo > /home/pabs/foo pabs@chianamo:~$ ls -l /tmp/quit.blend /home/pabs/foo - rw-r----- 1 pabs pabs 4 Jun 5 14:00 /home/pabs/foo lrwxrwxrwx 1 root root 14 Jun 5 13:51 /tmp/quit.blend -> /home/pabs/foo pabs@chianamo:~$ file /tmp/quit.blend /home/pabs/foo /tmp/quit.blend: symbolic link to `/home/pabs/foo' /home/pabs/foo: ASCII text pabs@chianamo:~$ blender *bpy stats* - tot exec: 648, tot run: 0.0677sec, average run: 0.000104sec, tot usage 0.4556% Saved session recovery to /tmp/quit.blend Blender quit pabs@chianamo:~$ file /tmp/quit.blend /home/pabs/foo /tmp/quit.blend: symbolic link to `/home/pabs/foo' /home/pabs/foo: Blender3D, saved as 64-bits little endian with version 2.50.0007 %%%

Paul Wise commented

2010-06-05 08:25:30 +02:00

Changed status to: 'Open'

Matt Ebb commented

2010-06-07 10:13:17 +02:00

%%%Hi, revision of the way blender finds directory/file paths for these kinds of resource files is currently in development, and will allow customisation of these with environment variables. Technically this functionality is doing what it is designed to do, so it's not really a bug (there are many more 'security' issues in blender than this).

Incidentally, I'm not sure why 2.49 was saving in ~/.blender/ for you, afaik it has always saved in /tmp, perhaps you didn't have write access there or something.

Closing this report, thanks.%%%

%%%Hi, revision of the way blender finds directory/file paths for these kinds of resource files is currently in development, and will allow customisation of these with environment variables. Technically this functionality is doing what it is designed to do, so it's not really a bug (there are many more 'security' issues in blender than this). Incidentally, I'm not sure why 2.49 was saving in ~/.blender/ for you, afaik it has always saved in /tmp, perhaps you didn't have write access there or something. Closing this report, thanks.%%%

Matt Ebb commented

2010-06-07 10:13:17 +02:00

Changed status from 'Open' to: 'Archived'

Matt Ebb closed this issue

2010-06-07 10:13:17 +02:00

Paul Wise commented

2010-06-07 10:33:35 +02:00

%%%According to the Debian maintainer, 2.49 was patched in Debian to save into the right directories and avoid the security issues but the 2.50 version in Debian experimental dropped those patches:

http://bugs.debian.org/584621
http://git.debian.org/?p=collab-maint/blender.git;a=blob;f=debian/NEWS;hb=experimental

In any case, it is a shame that the blender project isn't interested in fixing security issues, no matter how minor they might seem.%%%

%%%According to the Debian maintainer, 2.49 was patched in Debian to save into the right directories and avoid the security issues but the 2.50 version in Debian experimental dropped those patches: http://bugs.debian.org/584621 http://git.debian.org/?p=collab-maint/blender.git;a=blob;f=debian/NEWS;hb=experimental In any case, it is a shame that the blender project isn't interested in fixing security issues, no matter how minor they might seem.%%%

Paul Wise commented

2012-09-05 16:39:05 +02:00

%%%This bug is still present in blender 2.63a, it would be great if it were fixed.%%%

Sign in to join this conversation.

No Label

Download

What's New

Blender Studio

Manual

Developers Blog

Documentation

Benchmark

Blender Conference

Development Fund

One-time Donations

possible symlink attack in blender 2.5 #22509