[22433] in bugtraq
Dangerous temp file creation during installation of Netscape 6.
daemon@ATHENA.MIT.EDU (Larry W. Cashdollar)
Mon Aug 27 14:27:56 2001
Date: Mon, 27 Aug 2001 13:55:27 -0400 (EDT)
From: "Larry W. Cashdollar" <lwc@Vapid.dhs.org>
To: bugtraq@securityfocus.com
Message-ID: <Pine.SOL.4.21.0108271354280.30945-100000@Vapid.dhs.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
During installation of Netscape 6.01a for Solaris 2.7/8 Sparc, I noticed
the file /tmp/admin.3842 was created with mode 644. As you already know
if this package is installed by root in multiuser mode a malicious user
could use this to overwrite system files etc..
Here is the dangerous code:
# grep tmp ns6install
cat >/tmp/admin.$$ <<EOF
/usr/sbin/pkgrm -n -a /tmp/admin.$$ ${pkg}.* 2>&1
/usr/sbin/pkgadd -n -a /tmp/admin.$$ -d `pwd` $pkg 2>&1
#
A temporary work around would be to shut the system down into single user
mode, clean out /tmp and then install.
In reference too:
http://www.sun.com/solaris/netscape/index.html
-- Larry
http://vapid.dhs.org:8080
