5384254 2000-08-21 20:36 /71 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <12315> Ärende: Helix Code Security Advisory - Helix GNOME Update ------------------------------------------------------------ From: "Helix Code, Inc." <security@HELIXCODE.COM> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <200008200739.DAA25668@trna.helixcode.com> HELIX CODE, INC. SECURITY ADVISORY security@helixcode.com Issue Date: 20 Aug 2000 PACKAGES AFFECTED: Helix GNOME Updater (helix-update), versions 0.1 through 0.5 SYNOPSIS: A vulnerability in Helix GNOME Update allow non-root users to exploit world-writable permissions on /tmp, permitting arbitrarily modified RPM packages to be installed on the system. DESCRIPTION: A directory called /tmp/helix-install is used to store downloaded RPM packages to be installed. If that directory was created by a malicious non-root user prior to root launching the application, the malicious user could place arbitrary RPM packages in that directory which could be installed and used to compromise the security of the system. SOLUTION: A new version of the Helix GNOME Updater (0.6) has been released. This new version fixes this vulnerability by storing downloaded files in /var/cache/helix-install, which is writable only by root. AVAILABILITY: New versions of the Helix GNOME Updater are available immediately from Helix Code, Inc. A list of supported distributions, platforms and versions can be found at http://www.helixcode.com/desktop/download.php3. For Caldera OpenLinux eDesktop systems: http://spidermonkey.helixcode.com/distributions/Caldera-2.4/helix-update-0.6-0_helix_2.i386.rpm For LinuxPPC systems: http://spidermonkey.helixcode.com/distributions/LinuxPPC/helix-update-0.6.0_helix_2.ppc.rpm For Linux Mandrake systems: http://spidermonkey.helixcode.com/distributions/Mandrake/helix-update-0.6-0mdk_helix_2.i586.rpm For Red Hat Linux systems: http://spidermonkey.helixcode.com/distributions/RedHat-6/helix-update-0.6-0_helix_2.i386.rpm For Solaris systems: http://spidermonkey.helixcode.com/distributions/Solaris/helix-update-0.6-0_helix_1.sparc64.rpm For SuSE 6.3 systems: http://spidermonkey.helixcode.com/distributions/SuSE/hupdate-0.6-0_helix_2.i386.rpm For SuSE 6.4 systems: http://spidermonkey.helixcode.com/distributions/SuSE-6.4/hupdate-0.6-0_helix_2.i386.rpm For TurboLinux systems: http://spidermonkey.helixcode.com/distributions/TurboLinux-6/helix-update-0.6-0_helix_3.i386.rpm VERIFICATION: cebf0dfee4b6e3863d6accf18323f143 Caldera-2.4/helix-update-0.6-0_helix_2.i386.rpm a72044ce71275aafb1aad39efc72abae LinuxPPC/helix-update-0.6-0_helix_2.ppc.rpm 80facf4bc809e462c428a004b0940247 Mandrake/helix-update-0.6-0mdk_helix_2.i586.rpm 0d50980e0206ae3d22364879fc64bb61 RedHat-6/helix-update-0.6-0_helix_2.i386.rpm 1eec4c82ba6a9c7cc2f5645cbcaa5f66 Solaris/helix-update-0.6-0_helix_1.sparc64.rpm 410a4958c95b4426f711d0e5ffae7fb4 SuSE/hupdate-0.6-0_helix_2.i386.rpm cd5c18a4c9be10c6c311e8785408e6ec SuSE-6.4/hupdate-0.6-0_helix_2.i386.rpm c539209a2b2f2ab514126964cfaddda1 TurboLinux-6/helix-update-0.6-0_helix_3.i386.rpm Copyright (C) 2000 Helix Code, Inc. (5384254) ------------------------------------------(Ombruten) 5384801 2000-08-21 22:17 /75 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <12323> Ärende: Multiple Local Vulnerabilities in Helix Gnome Installer ------------------------------------------------------------ From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <E13QAYl-0007il-00@the-village.bc.nu> Multiple Vulnerabilities In Helix Gnome Installer 0.2 VULNERABILITIES: The Helix installer contains multiple locally exploitable vulnerabilities. 1. Several of the gdmify functions are vulnerable to attack because they use system and /tmp in unsafe manners > SuSE and Caldera A mkdir of the right path by any user prior to root running the Helix Installer will blank real config files losing parts of the users system configuration. > Other The other cases appear safe basically by chance. 2. The downloader tries to use a /tmp/helix_install directory, which at first seems a good idea. Unfortunately rc = mkdir(download_dir, 0600); if (rc < 0) { if (errno != EEXIST) { error_box(g_strdup_printf("Helix GNOME Update was exit(1); } } In other words, if I get there first and create a mode 777 directory the Helix user may end up installing arbitarily modified packages from a local attacker. 3. When the user quits the updater the updating code on the version inspected attempts to delete the files in the download directory. Unfortunately due to an elementary coding error it deletes each file in the download directory with a corresponding file in /var/tmp Bugs 2 and 3 combine to allow any hostile local user to make the user of the Helix Updater delete arbitary files. There are other potential holes in the check_rpm code but these depend on the XML database file fetched from helixcode.com being compromised. It would appear possible to create a remote exploit based on DNS spoofing to feed such a tampered XML file to the Installer but this would be an extremely tricky stunt and has not been attempted. Oddly enough given these errors the usual buffer overrun bugs appear absent. The authors make religious use of glib safe string functionality. WORKAROUND: Firstly if you have no untrusted users on the machine you need not worry about bugs 1-3. This means the majority of users need not worry. If you have untrusted users you should set the download directory rather than use the tmp default. A user will be able to delete arbitary files in the directory you use but this can be a new empty directory so this is an acceptable workaround. Be sure to also change the download directory in instances of the updater run from cron or at. NOTES: Helixcode were notified about this on the 7th August. (5384801) ------------------------------------------(Ombruten) 5385037 2000-08-21 23:27 /59 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <12332> Ärende: [Helix Beta] Helix Code Security Advisory - Helix GNOME Installer ------------------------------------------------------------ From: Joe Shaw <joe@HELIXCODE.COM> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <Pine.LNX.4.21.0008200308330.23120@trna.helixcode.com> HELIX CODE, INC. SECURITY ADVISORY security@helixcode.com Issue Date: 20 Aug 2000 PACKAGES AFFECTED: Helix GNOME Installer, versions 0.1 through 0.5 SYNOPSIS: Vulnerabilities in the Helix GNOME Installer allow non-root users to exploit world-writable permissions on /tmp to damage a system's configuration files or install arbitrarily modified RPM packages. DESCRIPTION: Temporary copies of the /etc/config.d/bashrc, /etc/config.d/csh.cshrc, and /etc/rc.d/rc.gui files on Caldera OpenLinux eDesktop 2.4 and /etc/rc.config on SuSE 6.3 and 6.4 are stored in the /tmp directory, modified, and moved back into their original locations. A mkdir of the right path by any user prior to root running the Helix GNOME Installer can result in a system's configuration files being lost. Furthermore, a directory called /tmp/helix-install is used to download packages to be installed. If that directory was created by a malicious non-root user, arbitrarily placed packages could be installed onto the system. SOLUTION: A new version of the Helix GNOME Installer (0.6) has been released. This new version fixes both vulnerabilities. The first is solved by making backups of the system files in the same directory from which they came, and doing the operation on these files in-place. The second is solved by moving the default download directory to /var/cache/helix-install, which is writable only by root. AVAILABILITY: New versions of the Helix GNOME Installer are available immediately from Helix Code, Inc. A list of supported systems can be found at http://www.helixcode.com/desktop/download.php3. For supported i386 systems: http://spidermonkey.helixcode.com/installer-latest-intel.gz For supported PPC systems: http://spidermonkey.helixcode.com/installer-latest-ppc.gz For supported UltraSparc Solaris systems: http://spidermonkey.helixcode.com/installer-latest-solaris.Z VERIFICATION: d6b369c223fd9e460581f92fba64d3b8 installer-latest-intel.gz 9223cae466e44a3627fc9be492a83c62 installer-latest-ppc.gz 61119233e77b4d5e2deb7989e79a1f0b installer-latest-solaris.Z Copyright (C) 2000 Helix Code, Inc. (5385037) ------------------------------------------(Ombruten)