[9715] in bugtraq
ISS install.iss security hole
daemon@ATHENA.MIT.EDU (Fyodor)
Sun Feb 21 23:27:32 1999
Date: Sat, 20 Feb 1999 20:59:23 -0500
Reply-To: Fyodor <fyodor@DHP.COM>
From: Fyodor <fyodor@DHP.COM>
To: BUGTRAQ@NETSPACE.ORG
Today I downloade the latest trial version of Internet Security Scanner
for Linux (version 5.3).
The install program (shell script) requires that you be root, even if you
want to install ISS in your home directory. I decided to edit the script
to comment out the root-check, and was rather shocked when I saw what they
are doing in install.iss:
# Only root can pass the next four operations.
# Yes it's ugly - BUT IT WORKS!
touch /tmp/.root.$$ >> /dev/null 2>&1
chmod 600 /tmp/.root.$$ >> /dev/null 2>&1
Obviously this is vulnerable to the standard tmp-symlink problem. And
they don't even look for the file first, so there is no need to worry
about exploiting race conditions -- just stick the 65K symlinks in /tmp
and wait for root to install ISS (you might have to wait a while ;). I've
tested that you can chmod whatever file you want to 600. This could make
for an easy DOS, but off the top of my head I don't see much more exploit
potential.
While this is probably not going to be exploited much (if ever), it really
concerns me that kindergarden-level security holes are still present in
current mass market **security** software. Remember that ISS chooses not
to offer us (or even paying customers!) the source code for their scanner.
So we have to trust ISS programmers are highly competent and aware of
secure coding issues. When I find problems like the one above without
even looking for them, I have to wonder whether this trust is misplaced.
Cheers,
Fyodor
PS (shameless plug): Version 2.08 of the nmap security scanner is
available free, with source code, at http://www.insecure.org/nmap/
--
Fyodor 'finger pgp@www.insecure.org | pgp -fka'
"Girls are different from hacking. You can't just brute force them if all
else fails." --SKiMo, quoted in _Underground_ (good book)
