owwatcher

Mike Salvatore (mikesalvatore) Publisher

Install latest/stable of owwatcher

Ubuntu 16.04 or later?

Make sure snap support is enabled in your Desktop store.


Install using the command line

Don't have snapd? Get set up for snaps.

Channel Version Published

Detects when world-writable files are created in a specified directory

OWWatcher uses inotify to monitor a directory of your choosing (usually /tmp). If any world-writable files or directories are created in the monitored directory, a notification is logged and/or sent via the syslog protocol to a syslog server of your choosing. This is useful for passively discovering information disclosure, symlink race, or TOCTOU vulnerabilities. Instead of reading source code in search of vulnerabilities, simply configure OWWatcher and go about your business. You can investigate any alerts OWWatcher creates to see if they qualify as vulnerabilities.

"A symlink race is a kind of software security vulnerability that results from a program creating files in an insecure manner. A malicious user can create a symbolic link to a file not otherwise accessible to him or her. When the privileged program creates a file of the same name as the symbolic link, it actually creates the linked-to file instead, possibly inserting content desired by the malicious user (see example below), or even provided by the malicious user (as input to the program)." https://en.wikipedia.org/wiki/Symlink_race

Time-of-check to time-of-use (TOCTOU) vulnerabilities are the result of race conditions that occur between the time a software checks the status of a resource (in this case, a file or directory) and the time the software actually uses the resource. One common way that TOCTOU vulnerabilities are manifested is in world-writable files or directories within /tmp. If software creates world-writable files within /tmp, a malicious user could potentially create symlinks or otherwise manipulate the world-writable files in order to cross some security boundary. For an example of how this attack might work, see http://www.cis.syr.edu/~wedu/Teaching/IntrCompSec/LectureNotes_New/Race_Condition.pdf

For a discussion on how to safely create and use files in /tmp, see https://www.netmeister.org/blog/mktemp.html.

This tool is not intended to detect any kind of malware or intrusion. Rather, it is a vulnerability research tool which alerts a researcher of potential information disclosure, symlink race or TOCTOU vulnerabilities as the researcher goes about their daily activities. In this way, the researcher takes a passive approach to discovering these vulnerabilities, rather than a more active approach (e.g. code audits.)

For more information, see https://github.com/mssalvatore/owwatcher.

Developer website

Contact Mike Salvatore

Details for owwatcher

License
GPL-2.0
Last updated
Today

Share this snap

Generate an embeddable card to be shared on external websites.


Related blog posts


Where people are using owwatcher

Users by distribution (log)

Ubuntu 20.04
Ubuntu 18.04

Install owwatcher on your Linux distribution

Choose your Linux distribution to get detailed installation instructions. If yours is not shown, get more details on the installing snapd documentation.


Is there a problem with owwatcher? Report this app