Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Chris Wilson (chriscamcom.co.uk)
Date: Fri May 25 2001 - 12:54:13 CDT
Dear Bugtraq Readers,
We believe we have discovered a security flaw (a /tmp race condition) in
Computer Associates' InoculateIT product, a good virus scanner for
Microsoft and UNIX platforms which is free for personal use. The
vulnerability allows local users to deny service to the system or possibly
gain root privileges.
The vulnerability affects some UNIX versions of InoculateIT under certain
conditions. Although we tested the Linux version, this version is not
vulnerable under normal circumstances. However, we believe that other UNIX
versions are basically identical and, given the necessary directory
layout, will be vulnerable to this attack.
We notified the vendor (www.ca.com) on Thursday 17th May (over one week
ago) and have received no response, so in accordance with RFPolicy
(http://www.wiretrip.net/rfp/policy.html) we are making this information
public. Please find the advisory below.
Please note that the advisory contains a small mistake. We have discovered
that it is not possible, as previously thought, to overwrite any file on
the system with arbitrary contents, only with the contents of an FTP
download or error message. We believe that this mitigates the risk of
exploitation, but we could be wrong.
I wish vendors would reply to their e-mail, but I guess that would be
asking too much.
-- ___ __ _ / __// / ,__(_)_ | Chris Wilson <chriscamcom.co.uk> | +44 1223 576 516 | / (_ / ,\/ _/ /_ \ | Lead Developer - Firewall Systems | www.camcom.co.uk | \ _//_/_/_//_/___/ | Unix Systems and Network Engineer +-- Cambridge UK --+
---------- Forwarded message ---------- Date: Thu, 17 May 2001 17:02:52 +0100 (BST) From: Chris Wilson <chriscamcom.co.uk> To: supportca.com, securityca.com, infoca.com, security-alertca.com, secureca.com Cc: johncamcom.co.uk, markcamcom.co.uk Subject: Security Bug in InoculateIT for Linux
I believe there is a vulnerability in InoculateIT for Linux, and probably other Unix versions of InoculateIT, which allows local non-root users to delete any file on the system, and under some circumstances to overwrite any file on the system, next time the "update_signature" is run by root. If the recommendations in the documentation are followed, this will happen every day at 1am.
The update_signature script, at least in the Linux version, calls ftpdownload to retrieve an updated version of itself. ftpdownload contains a security vulnerability, and update_signature contains a self-destruct mechanism.
1. Insecure temporary files. ============================
ftpdownload contains the following lines:
wlog=/tmp/ftpdownload.log ... $CAIGLBL0000/ino/bin/wget $URL -O $LOCAL_FN > $wlog 2>&1
Because the temporary file /tmp/ftpdownload.log has a well-known, non-random name and is created in a public /tmp directory, any user can create a symbolic link from /tmp/ftpdownload.tmp to another file on the system, and that file will be overwritten. This requires two preconditions:
a) $CAIGLBL0000/ino/bin/wget must exist, otherwise wget is not run. b) ftpdownload is run as root
If these preconditions are met, and /tmp/ftpdownload.log is a symbolic link to, say, /etc/passwd, then that file will be overwritten next time ftpdownload is run. This may happen automatically, since the README file gives instructions for installing it as a cron job which executes automatically every day at 1am. The result is at least a denial of service, and quite possibly a root compromise if you overwrite the correct file.
The solution is to modify the script to store the log file in a secure temp directory, for example:
2. Self-Destruct in update_signature. =====================================
update_signature helpfully renames the current InoculateIT files with a .prev extension before downloading an update, in case the updated files are corrupt or do not work for some reason. However, in the event of a download failure, the .prev files are not restored to their original named. The virus scanner will then refuse to run unless these files are renamed manually, or update_singature.prev is run manually to download a new copy.
An automatic update might fail for a number of reasons, for example if the user's Internet connection has failed, is busy, or is under a denial-of-service attack, or if CA's server crashed, was cracked, or was under heavy load (e.g. around 1am =).
The solution is to change this code:
else echo "Error $? during tar extract" exit 16 fi
else echo "Error $? during tar extract" for i in inocucmd virsig.dat README.txt update_signature ftpdownload $id_file; do mv -f $i.prev $i done exit 16 fi
This advisory notice is RFpolicy compliant (http://www.wiretrip.net/rfp/policy.html). Unless you contact us first, we intend to publish this advisory at 9:00am GMT on the 25th May 2001 (five working days). But please don't make us do that.
Chris Wilson. -- ___ __ _ / __// / ,__(_)_ | Chris Wilson <chriscamcom.co.uk> | +44 1223 576 516 | / (_ / ,\/ _/ /_ \ | Lead Developer - Firewall Systems | www.camcom.co.uk | \ _//_/_/_//_/___/ | Unix Systems and Network Engineer +-- Cambridge UK --+