[8299] in bugtraq
Re: License Manager's lockfiles (Solaris 2.5.1)
daemon@ATHENA.MIT.EDU (Peter Marelas)
Mon Oct 26 15:18:26 1998
Date: Sat, 24 Oct 1998 20:00:43 +1000
Reply-To: Peter Marelas <Peter.Marelas@FULCRUM.COM.AU>
From: Peter Marelas <Peter.Marelas@FULCRUM.COM.AU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.SOL.3.96.981023193402.21466A-100000@kepler>
On Fri, 23 Oct 1998, Roger Harrison ? wrote:
> On Wed, 21 Oct 1998, Joel Eriksson wrote:
>
> > License Manager on Solaris 2.5.1 tends to make stupid lockfiles owned by
> > root and mode 666 (worldwrite'able). That is not good, since anyone could
> > create rootowned files which they then would be able to modify. It's an
> > even bigger problem since it just takes about a minute 'til the lockfile
> > is created after it's replaced with a symlink which it follows ..
>
> I discovered this a few months ago and neglected to post it.
> Solaris 2.6 is affected as well. A lock file locksuntechd is created
> in /tmp mode 666 owned by root and group root. I think the program is
> lmgrd FLEXlm v2.26d that is causing the problems, either that or suntechd.
>
> %ls -la /tmp/locksuntechd
> -rw-rw-rw- 1 root root 0 Oct 22 12:51 locksuntechd
>
> suntechd is in /opt/SUNWspro/SunTech_License/bin/
>
> there is a log file that contains some stuff about when the daemon is
> going up or down and also if users are exploiting it you can see entries
> about the lock file not being available. It is in
> /opt/SUNWspro/SunTech_License/license.log
>
> So to exploit it, just remove the locksuntechd file and replace it with a
> symlink to a file you want to create. It will not overwrite existing
> files from the testing that i did. Then the link is followed and the new
> file is created with mode 666 ownership root. You can then delete the
> symlink and create a new one to somewhere else and it will work again and
> again and again...what fun. Users could create .rhosts files, new system
> webpages, new trojan binaries with names spelled slightly off that get
> misspelled often (finger-fineger, pine-pien, ls-sl) come on.. tell me
> you never typed one of those out wrong while you were typing fast!
>
The version of flexlm your using is ancient. The current version is 6.1.
A large number of vulnerabilities in flexlm were made public in Sep 1996.
This includes the file permission races in /var/tmp that have been highlighted
here.
The bottom line is flexlm should NOT be run as root.
See http://www.globetrotter.com/auscert.htm for the advisory.
Regards
Peter Marelas
--
/\ The Fulcrum Consulting Group Peter Marelas - Consultant
/\O\ Professional Services For Operation Peter.Marelas@fulcrum.com.au
/ /\ Of A Networked Computing Environment ph: +61-3-9621-2100
/o | \ 12/10-16 Queen St, Melbourne VIC 3000, Australia fx: +61-3-9621-2724
