linux, säkerhet

5564272 2000-10-08  21:42  /185 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <13152>
Ärende: ISS Security Advisory: Insecure call of external programs in Red Hat Linux tmpwatch
------------------------------------------------------------

From: X-Force <xforce@ISS.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.3.95.1001006195145.145A-100000@arden.iss.net>

-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Advisory
October 6, 2000

Insecure call of external programs in Red Hat Linux tmpwatch

Synopsis:

The tmpwatch utility is used in Red Hat Linux to remove temporary
files. This utility has an option to call the "fuser" program, which
verifies if a file is currently opened by a process. The fuser
program is invoked within tmpwatch by calling the system() library
subroutine. Insecure handling of the arguments to this subroutine
could potentially allow an attacker to execute arbitrary commands.

Impact:

This vulnerability may allow local attackers to compromise superuser
access if tmpwatch is used by the administrator in a non-default
manner.

Affected Versions:

Red Hat Linux 7.0 (tmpwatch v2.5.1)
Red Hat Linux 6.2 (tmpwatch v2.2)

Use the 'rpm -q tmpwatch' command to verify which version is
installed. The tmpwatch package as well as the package containing
fuser are included in the default base installation. By default,
tmpwatch with the fuser option is not used in any package shipped
with the Red Hat distributions.

Description:

The tmpwatch tool removes files that have not been modified or
accessed within a specified amount of time. It was designed to
securely remove files by avoiding typical race condition
vulnerabilities. System administrators usually run this tool
periodically to remove old temporary files in world-writeable
directories.

The tmpwatch tool uses the --fuser or -s options to avoid removing a
file that is in an open state in another process.  This option uses
the system() library subroutine to call the external program
/sbin/fuser with the file name being examined as an argument.  The
system() subroutine spawns a shell to execute the command.  An
attacker may create a file name containing shell metacharacters,
which could allow them to execute arbitrary commands if tmpwatch with
the fuser option is used to remove the file.

Source code comparison between the Red Hat Linux 6.2 and 7.0 tmpwatch
packages suggests this vulnerability was recognized and a fix was
attempted. However, the fix is incorrect, and the vulnerability is
still exploitable.

Recommendations:

Do not use the --fuser or -s options with tmpwatch.

Red Hat has issued the following RPMs that contain fixes for this
vulnerability.

Red Hat Linux 6.2:

alpha:
ftp://updates.redhat.com/6.2/alpha/tmpwatch-2.6.2-1.6.2.alpha.rpm

sparc:
ftp://updates.redhat.com/6.2/sparc/tmpwatch-2.6.2-1.6.2.sparc.rpm

i386:
ftp://updates.redhat.com/6.2/i386/tmpwatch-2.6.2-1.6.2.i386.rpm

sources:
ftp://updates.redhat.com/6.2/SRPMS/tmpwatch-2.6.2-1.6.2.src.rpm

Red Hat Linux 7.0:

i386:
ftp://updates.redhat.com/7.0/i386/tmpwatch-2.6.2-1.7.i386.rpm

sources:
ftp://updates.redhat.com/7.0/SRPMS/tmpwatch-2.6.2-1.7.src.rpm

Verification:

MD5 sum                           Package Name
- --------------------------------------------------------------------------
b8a670944cc54fd39c9eefb79f147ec1  6.2/SRPMS/tmpwatch-2.6.2-1.6.2.src.rpm
39fe4fbf666e5f9a40503134c05046d8  6.2/alpha/tmpwatch-2.6.2-1.6.2.alpha.rpm
84609abc355fde23ce878e4d310766f8  6.2/i386/tmpwatch-2.6.2-1.6.2.i386.rpm
f4625e9bc27af011a614eaa146586917  6.2/sparc/tmpwatch-2.6.2-1.6.2.sparc.rpm
b1a9201c44a5f921209c9b648ba85ada  7.0/SRPMS/tmpwatch-2.6.2-1.7.src.rpm
8acf394469c47a98fcc589dd0d73b98c  7.0/i386/tmpwatch-2.6.2-1.7.i386.rpm

These packages are GPG signed by Red Hat, Inc. for security.  Red Hat's key
is available at:
    http://www.redhat.com/corp/contact.html

You can verify each package with the following command:
    rpm --checksig  <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg <filename>


Developer Recommendations:

If an external program needs to be called within a process, try to
avoid the system() subroutine. Use the execve() subroutine instead.
See the Secure UNIX Programming FAQ for details:

http://www.whitefang.com/sup/secure-faq.html#INPUT3

Additional Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the Name CAN-2000-0816 to this issue. This is a candidate for
inclusion in the CVE list http://cve.mitre.org, which standardizes
names for security problems.

Credits:

This vulnerability was discovered and researched by Allen Wilson and
Aaron Campbell of the ISS X-Force.

The vendor contact in regards to this vulnerability was performed
with the help of the SecurityFocus.com Vulnerability Help Team. For
more information or assistance drafting advisories please mail
vulnhelp@securityfocus.com.

_____

About Internet Security Systems (ISS) Internet Security Systems (ISS)
is a leading global provider of security management solutions for the
Internet. By providing industry-leading SAFEsuite security software,
remote managed security services, and strategic consulting and
education offerings, ISS is a trusted security provider to its
customers, protecting digital assets and ensuring safe and
uninterrupted e-business. ISS' security management solutions protect
more than 5,500 customers worldwide including 21 of the 25 largest
U.S.  commercial banks, 10 of the largest telecommunications
companies and over 35 government agencies. Founded in 1994, ISS is
headquartered in Atlanta, GA, with additional offices throughout
North America and international operations in Asia, Australia,
Europe, Latin America and the Middle East. For more information,
visit the Internet Security Systems web site at www.iss.net or call
888-901-7477.

Copyright (c) 2000 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part
of this Alert in any other medium excluding electronic medium, please
e-mail xforce@iss.net for permission.

Disclaimer

The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this
information. In no event shall the author be liable for any damages
whatsoever arising out of or in connection with the use or spread of
this information. Any use of this information is at the user's own
risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as
well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBOd5lczRfJiV99eG9AQFcWwQAje1iGLZa2YWJ+i8dDm8MvJa64F1+ABb3
G0EuESss5yQw8FV1XO7r8JfjU9UndMNg1i7r5xmWCbUIXuP5M6EHsITubt6qoRy+
UyyEKpQs6t7Gixxs4rVdc+ztdxV2nARvPzorZUBAthPn7lDbPWDTVYpzubgbW7Pq
Lto9f6L0w6c=
=6aRu
-----END PGP SIGNATURE-----
(5564272) ------------------------------------------(Ombruten)