Re: Security problem in Slackware.

From: Peter van Dijk (peterat_private)
Date: Fri Mar 13 1998 - 07:34:58 PST

Next message: Michal Zalewski: "/tmp event logger"

Previous message: Russ: "Win95 Winsock 2.0 DoS"
Maybe in reply to: Suman_Saraf: "Security problem in Slackware."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 11 Mar 1998, Suman_Saraf wrote:

> Hi,
>
> I just found out that the setup program in slackware creates a file called
> hdtest in /tmp  without checking for its existence.
>
> So a malicious user could just create a symlink to any root owned file and
> it will get fucked up when the administrator runs setup.
>
> In my case I just created a symlink to /etc/passwd and when I exit the
> setup the file contains only "EXIT" :-)
>
> Lemme know if something has been done about it already.
I have Slackware 3.4 (the newest) and I've been following the ChangeLog on
ftp.cdrom.com. It only lists a fix for a bug I submitted (imapd/ipop3d
coredump).

[root@koek] /tmp# nd test
[root@koek] /tmp/test# echo "root owns this file" > rootfile
[root@koek] /tmp/test# cat rootfile
root owns this file
[root@koek] /tmp/test# ls -al rootfile
-rw-r--r--   1 root     root           20 Mar 13 16:21 rootfile

[peter@koek] /tmp$ ln -sf test/rootfile hdset

[root@koek] /tmp/test# setup

[peter@koek] /tmp$ ls -al test/rootfile
-rw-r--r--   1 root     root            4 Mar 13 16:23 test/rootfile
[peter@koek] /tmp$ cat test/rootfile
EXIT[peter@koek] /tmp$

So, it does still work.
Another thing that might be interesting are the /tmp/SeT* files.
setup creates them while running (starting with rm -f /tmp/Set*). But
while setup is running you should be able to create some symlinks, like
some kind of race. Only this time, you're racing a human ;)

Another file that can be exploited is /tmp/slackdir, which records which
directory should be the root of the slackware filesystem. Very unlikely to
be used, but worth noting.

pkgtool does things like this in:
/tmp/{reply,viewscr,return,tmpmsg,rmscript,wdrive,sets,pkgdir,mntans,tagfile,
      skip}
and all kinds of /tmp/SeT* (which it cleans up when starting, like setup
does).

The best fix for this would be to let all these programs use their own
tmp-dir, because they're going to be run as root anyway.

Greetz, Peter.

------------------------------------------------------------------------------
 'Selfishness and separation have led me to   .      Peter 'Hardbeat' van Dijk
  to believe that the world is not my problem .    network security consultant
  I am the world. And you are the world.'     .               (yeah, right...)
          Live - 10.000 years (peace is now)  .        peterat_private
------------------------------------------------------------------------------
  4:19pm  up 18:48,  4 users,  load average: 0.00, 0.02, 0.00
------------------------------------------------------------------------------

Next message: Michal Zalewski: "/tmp event logger"
Previous message: Russ: "Win95 Winsock 2.0 DoS"
Maybe in reply to: Suman_Saraf: "Security problem in Slackware."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:45:23 PDT