[17107] in bugtraq
Re: ISS Security Advisory: Insecure call of external programs in
daemon@ATHENA.MIT.EDU (Alfred Perlstein)
Mon Oct 9 14:18:22 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20001008162024.H272@fw.wintelcom.net>
Date: Sun, 8 Oct 2000 16:20:24 -0700
Reply-To: Alfred Perlstein <bright@WINTELCOM.NET>
From: Alfred Perlstein <bright@WINTELCOM.NET>
X-To: X-Force <xforce@ISS.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.3.95.1001006195145.145A-100000@arden.iss.net>; from
xforce@ISS.NET on Fri, Oct 06, 2000 at 07:52:18PM -0400
* X-Force <xforce@ISS.NET> [001008 12:30] wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Internet Security Systems Security Advisory
> October 6, 2000
>
> Insecure call of external programs in Red Hat Linux tmpwatch
>
> Synopsis:
>
> The tmpwatch utility is used in Red Hat Linux to remove temporary files. This
> utility has an option to call the "fuser" program, which verifies if a file is
> currently opened by a process. The fuser program is invoked within tmpwatch by
> calling the system() library subroutine. Insecure handling of the arguments to
> this subroutine could potentially allow an attacker to execute arbitrary
> commands.
>
> Credits:
>
> This vulnerability was discovered and researched by Allen Wilson and Aaron
> Campbell of the ISS X-Force.
>
> The vendor contact in regards to this vulnerability was performed with the
> help of the SecurityFocus.com Vulnerability Help Team. For more
> information or assistance drafting advisories please mail
> vulnhelp@securityfocus.com.
T ALEPH1 PLZ ALLOW POSTS FROM NORMAL USERZ AND NOT JUST SKRIPT
KIDDIEZ AND HAXX0RS WITH 31337 GROUP NAMEZ, K THNX.
translation: Aleph, I posted about this almost a month ago, but
you didn't let it through, please take the time to review my posts,
I don't have the time to start any security groups nor do I wish
to send gr33tz to any of my friends on irc, I just want my comments
to be known.
From bright@wintelcom.net Sat Sep 9 14:39:41 2000
Date: Sat, 9 Sep 2000 14:39:41 -0700
From: Alfred Perlstein <bright@wintelcom.net>
To: zenith parsec <zenith_parsec@THE-ASTRONAUT.COM>
Cc: BUGTRAQ@SECURITYFOCUS.COM
Subject: execute arbitrary commands with tmpwatch? Re: tmpwatch: local DoS : for
k()bomb as root
Message-ID: <20000909143941.W12231@fw.wintelcom.net>
References: <20000909105828.20274.qmail@fiver.freemessage.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.4i
In-Reply-To: <20000909105828.20274.qmail@fiver.freemessage.com>; from zenith_par
sec@THE-ASTRONAUT.COM on Sat, Sep 09, 2000 at 10:58:28AM -0000
Status: RO
Content-Length: 1588
Lines: 60
* zenith parsec <zenith_parsec@THE-ASTRONAUT.COM> [000909 08:17] wrote:
> sent through bugzilla.redhat.com
> no reply from responsible person.
> here it goes.
>
> Local DoS in /usr/sbin/tmpwatch. root fork()bombs himself.
...
> # chmod 400 /etc/cron.daily/tmpwatch
> # chmod 400 /usr/sbin/tmpwatch
> #
>
>
> oh yeah.
>
> slocate also segfaults on that directory.
>
> $ ./a
> to delete all the ./A/A/A/A/..... directories you own.
>
> i hope.
This is cute, where is the bugfix though?
From a copy of the program (version 2.2):
/* Do everything in a child process so we don't have to chdir(".."),
which would lead to a race condition. fork() on Linux is very efficient
so this shouldn't be a big deal (probably just a exception on one page
of stack, not bad). I should probably just keep a directory stack
and fchdir() back up it, but it's not worth changing now. */
1) hahahahahaha
2) this utility should be rewriten to just run its checks on the
output from find which is a utility that's most likely smarter
and proven about directory traversal than this thing.
Also:
snprintf(cmd, 255, "/sbin/fuser %s/%s > /dev/null 2>&1",
dirname, ent->d_name);
USE SIZEOF DAMMIT.
sheesh!
Waitasec... there _could_ be a problem here...
touch '/tmp/;chmod 4755 $SHELL'
oops. :)
I don't run linux so I can't test this easily, maybe someone else can
confirm it and let me know?
thanks,
--
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
"I have the heart of a child; I keep it in a jar on my desk."
