CVE-2011-5146 in Bokken
Summary
by MITRE
Bokken before 1.6 and 1.5-x before 1.5-3 for Debian allows local users to overwrite arbitrary files via a symlink attack on /tmp/graph.dot.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/20/2019
The vulnerability identified as CVE-2011-5146 represents a classic symlink attack scenario affecting the Bokken security tool version 1.6 and earlier releases, including the 1.5-x series before 1.5-3 on Debian systems. This flaw resides in the tool's handling of temporary files during graph generation processes, specifically targeting the /tmp/graph.dot file path. The vulnerability enables local attackers with minimal privileges to manipulate the system's file structure through symbolic link manipulation, potentially leading to arbitrary file overwrite operations.
The technical implementation of this vulnerability stems from the insecure temporary file creation pattern within Bokken's graph generation functionality. When the application processes security-related data and generates visual representations, it creates temporary files in the /tmp directory without proper validation of the file's existence or ownership. Attackers can exploit this by creating a symbolic link named graph.dot in the /tmp directory that points to a target file of their choice, such as system configuration files or user data. When Bokken attempts to write to this location, the system follows the symbolic link and overwrites the target file instead of creating the intended temporary file.
This vulnerability directly maps to CWE-377, which describes insecure temporary file creation practices, and aligns with ATT&CK technique T1059.001 for executing commands through local interfaces. The operational impact of this flaw extends beyond simple file overwrites, as it can potentially allow attackers to escalate privileges, modify system configurations, or corrupt critical data. The attack requires local system access and basic user privileges, making it particularly dangerous in environments where multiple users share the same system or where users have legitimate access to the Bokken tool.
The exploitation process involves creating a symbolic link in the /tmp directory before Bokken executes its graph generation routine, followed by triggering the vulnerable functionality. This attack vector demonstrates poor input validation and inadequate file handling security measures. The vulnerability's impact is amplified in multi-user environments where attackers can leverage this weakness to target other users' files or system-critical locations. Organizations using Bokken in security assessment or penetration testing contexts must be particularly vigilant, as this vulnerability could be exploited to compromise the integrity of security tools themselves.
Mitigation strategies for this vulnerability include implementing proper temporary file creation mechanisms that utilize secure file creation patterns, such as creating files with exclusive access permissions and validating file ownership before writing. The recommended approach involves using functions like mkstemp() instead of relying on predictable temporary file names, ensuring that temporary files are created in secure directories with appropriate permissions. Additionally, system administrators should update to Bokken version 1.6 or later, where this vulnerability has been addressed through improved file handling and temporary file management. Regular security audits should include verification of temporary file creation patterns in all security tools and applications to prevent similar vulnerabilities from emerging. The remediation process should also involve implementing proper file system permissions and monitoring for suspicious symbolic link creation activities in temporary directories.