English | Deutsch
Home »

OpenVAS Change Request #47: OpenVAS-Scanner: Keep uploaded files in memory instead of on disk

Status: Voted +5. Done. Implemented with SVN revisions 7635 and 7638.

Purpose

To eliminate possible TOCTOU attacks on the scanner.

To allow privilege downgrades in the scanner.

References

Rationale

Currently, files uploaded to the OpenVAS scanner through NVT preferences of the type file are written to temporary files when they are uploaded at the start of a scan. A mapping is created between the original name of the file on the users machine (e.g. /home/user/abc.txt) and the name of the temporary file on the OpenVAS scanner (e.g. /var/lib/openvas/tmp/tmp.12345-678). When the NVT which uploaded the file runs during the attack, the location or content of this temporary file will be provided to NVT. When the task has finished, the temporary files are removed.

NVTs can access the uploaded file in two ways: they can use the command script_get_preference_file_content to access the contents of the file or the command script_get_preference_file_location to determine to location of the temporary file on the OpenVAS scanner.

One weakness of this approach is that it opens the possibility of TOCTOU (time of check, time of use) race conditions: a local attacker could use the insecure creation of the temporary file to overwrite arbitrary files (as described by Tim Brown here and here) or could alter the contents of the uploaded file between upload and actual use by the NVT.

The file system access currently happens at a time where the process has elevated privileges and has access to the entire disk; this amplifies the threat described above. In order to have the OpenVAS scanner operating in a secure manner, the OpenVAS project is committed to enabling the scanner to run with the least privileges possible; this may mean that writing to disk or accessing files on disk might not be possible for the process in the future.

Suggested Changes

To avoid any need for disk access or elevated privileges, this change request proposes the storage of uploaded files in memory instead of on disk.

The least invasive way to switch to memory based storage would be to use the mapping described above to map the original file name to the actual contents of the file instead of the file name on the scanner (see below).

Effects

The scanner would no longer write uploaded files to disk, thereby reducing potential attack vectors and removing the need for disk access in this context.

Depending on the size of the uploaded files, memory usage of openvas-scanner would increase during a scan.

Design and Implementation

The least invasive approach would require a few minor changes to openvas-scanner and openvas-libraries:

This change would require additional changes to update the handling of ssh login information uploaded by the client in openvas-scanner:

History