6544307 2001-05-25 18:54 +0100 /142 rader/ Chris Wilson <chris@camcom.co.uk>
Sänt av: joel@lysator.liu.se
Importerad: 2001-05-26 01:51 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17154>
Ärende: Security Bug in InoculateIT for Linux (fwd)
------------------------------------------------------------
From: Chris Wilson <chris@camcom.co.uk>
To: <bugtraq@securityfocus.com>
Message-ID: <Pine.LNX.4.33.0105251843540.19711-100000@localhost>
Dear Bugtraq Readers,
We believe we have discovered a security flaw (a /tmp race condition)
in Computer Associates' InoculateIT product, a good virus scanner for
Microsoft and UNIX platforms which is free for personal use. The
vulnerability allows local users to deny service to the system or
possibly gain root privileges.
The vulnerability affects some UNIX versions of InoculateIT under
certain conditions. Although we tested the Linux version, this
version is not vulnerable under normal circumstances. However, we
believe that other UNIX versions are basically identical and, given
the necessary directory layout, will be vulnerable to this attack.
We notified the vendor (www.ca.com) on Thursday 17th May (over one
week ago) and have received no response, so in accordance with
RFPolicy (http://www.wiretrip.net/rfp/policy.html) we are making this
information public. Please find the advisory below.
Please note that the advisory contains a small mistake. We have
discovered that it is not possible, as previously thought, to
overwrite any file on the system with arbitrary contents, only with
the contents of an FTP download or error message. We believe that
this mitigates the risk of exploitation, but we could be wrong.
I wish vendors would reply to their e-mail, but I guess that would be
asking too much.
Ciao, Chris.
--
___ __ _
/ __// / ,__(_)_ | Chris Wilson <chris@camcom.co.uk> | +44 1223 576 516 |
/ (_ / ,\/ _/ /_ \ | Lead Developer - Firewall Systems | www.camcom.co.uk |
\ _//_/_/_//_/___/ | Unix Systems and Network Engineer +-- Cambridge UK --+
---------- Forwarded message ----------
Date: Thu, 17 May 2001 17:02:52 +0100 (BST)
From: Chris Wilson <chris@camcom.co.uk>
To: support@ca.com, security@ca.com, info@ca.com, security-alert@ca.com,
secure@ca.com
Cc: john@camcom.co.uk, mark@camcom.co.uk
Subject: Security Bug in InoculateIT for Linux
Dear Sirs,
I believe there is a vulnerability in InoculateIT for Linux, and
probably other Unix versions of InoculateIT, which allows local
non-root users to delete any file on the system, and under some
circumstances to overwrite any file on the system, next time the
"update_signature" is run by root. If the recommendations in the
documentation are followed, this will happen every day at 1am.
The update_signature script, at least in the Linux version, calls
ftpdownload to retrieve an updated version of itself. ftpdownload
contains a security vulnerability, and update_signature contains a
self-destruct mechanism.
1. Insecure temporary files.
============================
ftpdownload contains the following lines:
wlog=/tmp/ftpdownload.log
...
$CAIGLBL0000/ino/bin/wget $URL -O $LOCAL_FN > $wlog 2>&1
Because the temporary file /tmp/ftpdownload.log has a well-known,
non-random name and is created in a public /tmp directory, any user
can create a symbolic link from /tmp/ftpdownload.tmp to another file
on the system, and that file will be overwritten. This requires two
preconditions:
a) $CAIGLBL0000/ino/bin/wget must exist, otherwise wget is not run.
b) ftpdownload is run as root
If these preconditions are met, and /tmp/ftpdownload.log is a
symbolic link to, say, /etc/passwd, then that file will be
overwritten next time ftpdownload is run. This may happen
automatically, since the README file gives instructions for
installing it as a cron job which executes automatically every day at
1am. The result is at least a denial of service, and quite possibly a
root compromise if you overwrite the correct file.
The solution is to modify the script to store the log file in a secure
temp directory, for example:
wlog=$LOCAL_FN.log
2. Self-Destruct in update_signature.
=====================================
update_signature helpfully renames the current InoculateIT files with
a .prev extension before downloading an update, in case the updated
files are corrupt or do not work for some reason. However, in the
event of a download failure, the .prev files are not restored to
their original named. The virus scanner will then refuse to run
unless these files are renamed manually, or update_singature.prev is
run manually to download a new copy.
An automatic update might fail for a number of reasons, for example
if the user's Internet connection has failed, is busy, or is under a
denial-of-service attack, or if CA's server crashed, was cracked, or
was under heavy load (e.g. around 1am =).
The solution is to change this code:
else
echo "Error $? during tar extract"
exit 16
fi
to:
else
echo "Error $? during tar extract"
for i in inocucmd virsig.dat README.txt update_signature ftpdownload $id_file; do
mv -f $i.prev $i
done
exit 16
fi
This advisory notice is RFpolicy compliant
(http://www.wiretrip.net/rfp/policy.html). Unless you contact us
first, we intend to publish this advisory at 9:00am GMT on the 25th
May 2001 (five working days). But please don't make us do that.
Yours sincerely,
Chris Wilson.
--
___ __ _
/ __// / ,__(_)_ | Chris Wilson <chris@camcom.co.uk> | +44 1223 576 516 |
/ (_ / ,\/ _/ /_ \ | Lead Developer - Firewall Systems | www.camcom.co.uk |
\ _//_/_/_//_/___/ | Unix Systems and Network Engineer +-- Cambridge UK --+
(6544307) /Chris Wilson <chris@camcom.co.uk>/(Ombruten)