[20742] in bugtraq
[SRT2001-10] - scoadmin /tmp issues
daemon@ATHENA.MIT.EDU (Richard Johnson)
Tue May 22 18:51:53 2001
From: "Richard Johnson" <thief@snosoft.com>
To: <bugtraq@securityfocus.com>
Cc: "Recon@Snosoft. Com" <recon@snosoft.com>, <alf@sco.com>
Date: Tue, 22 May 2001 14:21:00 -0400
Message-ID: <NLEHLKOFLLKOOLIIJPIPEELGCIAA.thief@snosoft.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
======================================================================
Strategic Reconnaissance Team Security Advisory(SRT2001-10)
Topic: scoadmin /tmp issues
Vendor: Santa Cruz Operations
Release Date: 05/07/01
======================================================================
.: Description
scoadmin makes poor use of /tmp. File names are very predictable
.: Impact
As a user: ln -s /etc/passwd /tmp/tclerror.1195.log
Wait for root to run scoadmin from xwindows and viola!
When he does, he will clobber /etc/passwd with a garbage file.
In order to get the /tmp/tclerror.pid.log you need for root to have an
improper term or cause some other error to happen.
A good way to force an error is to stop xm_vtcld from opening...
kindly leave a file where it wants its socket and it will complain.
As a normal user: touch /tmp/5111_342.0
When root goes to run sco admin he will get an error and clobber his
passwd file due to the ln -s on the tclerror.PID.log you left for him.
.: Workaround
Don't use scoadmin.
.: Systems Affected
Unixware 5.x
.: Proof of Concept
ln -s /etc/passwd /tmp/tclerror.1195.log
.: Vendor Status
A copy of this advisory was mailed to their attention
.: Credit
Kevin Finisterre
dotslash@snosoft.com
.: DISCLAIMER
======================================================================
©Copyright 2001 Secure Network Operations , Inc. All Rights Reserved.
Strategic Reconnaissance Team | recon@snosoft.com
http://recon.snosoft.com | http://www.snosoft.com
