vulnerability in satan, cops & tiger

From: Marc Heuse (Marc.Heuseat_private)
Date: Fri Jun 26 1998 - 00:24:17 PDT

Next message: Rhodie: "Bug is sudo?"

Previous message: Brian Feldman: "{proc,kern}fs bug in FreeBSD (other systems?)"
Next in thread: Douglas Lee Schales: "Re: vulnerability in satan, cops & tiger"
Reply: Douglas Lee Schales: "Re: vulnerability in satan, cops & tiger"
Reply: d: "Re: vulnerability in satan, cops & tiger"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi ...

While doing a security audit on various tools I found /tmp race conditions
in the popular security programs cops 1.04, satan 1.1.1 and tiger 2.2.3 ...

All the following bugs can be used to create or overwrite any file on the
system, because these applications run usually under the root id.
Therefore a denial-of-service and depending on the system configuration
(and 'luck') a root compromise possible.



Satan v1.1.1

in the file bin/rex.satan:

tmp_file=/tmp/rex.$$
trap "$RM -f $tmp_file; exit" 0 1 2 3 15
[... several lines later ...]
$REX -a 1,1,1 $target date >$tmp_file 2>/dev/null

fix:

change the tmp_file= line to
tmp_file=./rex.$$
that's how it's done in the other scripts needing temporary files.
Note that the rex vulnerability check is not enabled in the standard
configuration. You have to change the satan.cf file for that, so we
can assume that 95% of the installations are not concerned. Satan
is out of date anyway, a new version will hit us someday in the future.
Well here's the quote of an email from wietse:
"A new SATAN version is in the works. However, all the software
still needs to be written, so don't expect to see it by this summer."



Cops v1.04 (see below for a patch)

in the file res_diff:

$AWK 'NR > 5' $old_file > /tmp/tmp.$$.foo
$AWK 'NR > 5' $2 > /tmp/tmp.$$.bar


in the file checkacct/ca.src:

(touch /tmp/makedots${THISSHELL};while [ -f /tmp/makedots${THISSHELL} ]; do
        echownl(%.^); sleep 1; done)& 2>&1 >/dev/null;

touch follows this symlink -> any file can be created on the system
(what would be a nice attack for this? .nologin for dos?)


in the file extra_src/mail.chk:

PROG="/usr/tmp/mchk.p$$"
TEMP="/usr/tmp/mchk.t$$"
[...]
$RM -f $PROG
cat <<'EndOfProg' >$PROG
[...]
$RM -f $TEMP
$LS -lag | $AWK -f $PROG >$TEMP




Tiger v2.2.3

the $WORKDIR of tiger 2.2.3 is set to /tmp and many
temporary files are being written there (it would exeed
all limits to mention all the lines) ...
to prevent the raceconditions, $TIGER_HOME/tmp should be created by
default and $WORKDIR in the config file set to it.
See below for a patch.



closing remarks: I was shocked when I found these bugs. These security tools
have been around since years - and yet nobody had checked this ??
If this is a reflection of our security consciousness, well, we are in big
trouble since a long time and things are not getting better (especially with
M$ around)


Mit freundlichen Gruessen,
                                Marc Heuse


This message and any statements expressed therein are those of myself
and not of the Deutsche Bank AG or its subsidiary companies.


Type Bits/KeyID    Date       User ID
pub  2048/DB5C03C5 1997/09/23 Marc Heuse <marc.heuseat_private>

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

mQENAzQnbFEAAAEIAL/tj4hn/DVjEWAZhuqRdxZQDy5B+gZbE0CD/mUnZqpem+9L
KY+I8te7jMfTQExzqn5jYb5BaibT0SbEBWSx9Gha8EiBLAVcAjvrXpV+HJLcnPRG
YDk5a3s7GrA+QVHbbd9DWgqjMfUMw9oUDAhhjgK20SeOtFGBD2U17GkQF6TK7EjC
CTOuz2Hx/tisDuroJJnxZdbLNvCceOf/D/bbFcR7DfnEJWJ3f9JC4fibZMlX5rXL
Ct/TKhZMd4d42uL7L4KvkT5JCnFuEw1jRDPpBjZ030cK2uWCM//iEVLGmGKOs6Pg
o3Lfnnd6I6bTPHgrNsapNWmocbIGDC/4w9tcA8UABRG0Jk1hcmMgSGV1c2UgPG1h
cmMuaGV1c2VAbWFpbC5kZXViYS5jb20+iQEVAwUQNCdsUQwv+MPbXAPFAQFWEwf5
AWt6PbKLLCCBPnzBMdXatKEJvNzrZRXNSpbgKQUDAKApRUnOkDJ9yp3tfJG0/BsL
XBf+ldmjjoo/OZeWhIhNb71bbCs8BK7/YK5LKef2eq4pzSiWYosrOfjlfyOVhAiP
AiWYtK/HBELy6Zs8QwoPX0QX0+R2+ocMS0TDz7nwBgO5wcj3yMU0geTrnlDpJdj1
RgFQLE6T9qO5coRjj1EAoT5gQMxP9L4TQuifYiQ6S2vh6blr3amjPohKSDzZ62/x
rQ1KMXJd7MlMQndn8UwKt4XgoFIsZOFRrkDiXfm6zFnH40UcotoA+Ygojp52+Y6A
MuixTDbuf3Jph2jEG6r4Dw==
=/n63
-----END PGP PUBLIC KEY BLOCK-----



COPS PATCH

--- res_diff.orig       Thu Jun 18 09:54:39 1998
+++ res_diff    Thu Jun 18 10:02:06 1998
@@ -38,16 +38,24 @@
        fi

 # has anything changed?
-$AWK 'NR > 5' $old_file > /tmp/tmp.$$.foo
-$AWK 'NR > 5' $2 > /tmp/tmp.$$.bar
+umask 077
+mkdir /tmp/cops-res_diff.$$ || {
+       echo "can't create /tmp/cops-res_diff.$$ - possible attack, aborting."
+       exit 1
+}
+TMP_FOO="/tmp/cops-res_diff.$$/tmp.$$.foo"
+TMP_BAR="/tmp/cops-res_diff.$$/tmp.$$.bar"

-if $TEST -n "$DIFF /tmp/tmp.$$.foo /tmp/tmp.$$.bar" ; then
-       $RM -f /tmp/tmp.$$.foo /tmp/tmp.$$.bar
+$AWK 'NR > 5' $old_file > $TMP_FOO
+$AWK 'NR > 5' $2 > $TMP_BAR
+
+if $TEST -n "$DIFF $TMP_FOO $TMP_BAR" ; then
+       $RM -f $TMP_FOO $TMP_BAR
        $ECHO There is a difference....
        exit 1
        fi

-$RM -f /tmp/tmp.$$.foo /tmp/tmp.$$.bar
+$RM -rf /tmp/cops-res_diff.$$
 # echo There is no difference....
 exit 0
 # end
--- extra_src/mail.chk.orig     Thu Jun 18 09:55:02 1998
+++ extra_src/mail.chk  Thu Jun 18 10:01:52 1998
@@ -19,10 +19,14 @@
 RM=/bin/rm
 MAILDIR=/var/spool/mail
 #
-PROG="/usr/tmp/mchk.p$$"
-TEMP="/usr/tmp/mchk.t$$"
-#
 umask 077
+mkdir /usr/tmp/cops-mail.chk.$$ || {
+       echo "can't create /usr/tmp/cops-mail.chk.$$ - possible attack, aborting"
+       exit 1
+}
+PROG="/usr/tmp/cops-mail.chk.$$/mchk.p$$"
+TEMP="/usr/tmp/cops-mail.chk.$$/mchk.t$$"
+#
 #
 # Unpack the awk script from a "hereis".
 # The script reports files with bad permissions or where filename !=
@@ -45,5 +49,5 @@
 fi
 #
 # Clean up.
-$RM -f $TEMP $PROG
+$RM -rf /usr/tmp/cops-mail.chk.$$
 exit 0
--- checkacct/ca.src.orig       Thu Jun 18 09:54:51 1998
+++ checkacct/ca.src    Thu Jun 18 10:08:20 1998
@@ -351,12 +351,19 @@
 #
 # define the waiting routine that prints those neat dots
 #
+umask 077
+mkdir /tmp/cops-ca.src.$$ || {
+       echo "can't create /tmp/cops-ca.src.$$ - aborting"
+       exit 1
+}
+
 make_dots='
 if [ ${VERBOSE} -eq 1 ]; then
-       (touch /tmp/makedots${THISSHELL};while [ -f
/tmp/makedots${THISSHELL} ]; do echownl(%.^); sleep 1; done)& 2>&1
+        touch /tmp/cops-ca.src.$$/makedots${THISSHELL};while [ -f
/tmp/cops-ca.src.$$/makedots${THISSHELL} ];
+       do echownl(%.^); sleep 1; done)& 2>&1 >/dev/null;
 fi;'

-stop_dots='sleep 1; /bin/rm -rf /tmp/makedots${THISSHELL};'
+stop_dots='sleep 1; /bin/rm -f /tmp/cops-ca.src.$$/makedots${THISSHELL};'

 if [ 1 -eq $VERBOSE ]; then

@@ -542,6 +549,7 @@
 fi;

 %eval^ $stop_dots
+rm -rf /tmp/cops-ca.src.$$

 if [ ${VERBOSE} -eq 1 ]; then
        echo "Step 3 complete."





TIGER PATCH

--- config.orig Thu Jun 18 09:43:22 1998
+++ config      Thu Jun 18 09:50:59 1998
@@ -12,9 +12,6 @@
 #-----------------------------------------------------------------------------
 #
 # space, tab, newline
-TigerLogDir='.'
-TigerWorkDir='/tmp'
-TigerBinDir='$BASEDIR/bin'

 checkfile()
 {
@@ -53,8 +50,17 @@
     BASEDIR='.'
   fi

+TigerLogDir='.'
+TigerWorkDir="$BASEDIR/tmp"
+TigerBinDir='$BASEDIR/bin'
+
+[ -d $TigerWorkDir ] || mkdir $TigerWorkDir || {
+        echo "can't create TigerWorkDir!"
+        exit 1
+}
+
   LOGDIR=${TigerLogDir:=.}
-  WORKDIR=${TigerWorkDir:=${TMPDIR:=/tmp}}
+  WORKDIR=${TigerWorkDir:=${TMPDIR:=$BASEDIR/tmp}}
   EXPLAINREPORT=N
   SERVERCHECK=N
   Tiger_TESTMODE=N

Next message: Rhodie: "Bug is sudo?"
Previous message: Brian Feldman: "{proc,kern}fs bug in FreeBSD (other systems?)"
Next in thread: Douglas Lee Schales: "Re: vulnerability in satan, cops & tiger"
Reply: Douglas Lee Schales: "Re: vulnerability in satan, cops & tiger"
Reply: d: "Re: vulnerability in satan, cops & tiger"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:59:48 PDT