Re: License Manager's lockfiles (Solaris 2.5.1)

From: Peter Marelas (Peter.Marelasat_private)
Date: Sat Oct 24 1998 - 03:00:43 PDT

Next message: Diligence Risks: "Firewall-1 Security Advisory"

Previous message: Michael Stone: "Re: Netscape "What's Related""
Maybe in reply to: Joel Eriksson: "License Manager's lockfiles (Solaris 2.5.1)"
Next in thread: Casper Dik: "Re: License Manager's lockfiles (Solaris 2.5.1)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 23 Oct 1998, Roger Harrison ? wrote:

> On Wed, 21 Oct 1998, Joel Eriksson wrote:
>
> > License Manager on Solaris 2.5.1 tends to make stupid lockfiles owned by
> > root and mode 666 (worldwrite'able). That is not good, since anyone could
> > create rootowned files which they then would be able to modify. It's an
> > even bigger problem since it just takes about a minute 'til the lockfile
> > is created after it's replaced with a symlink which it follows ..
>
> I discovered this a few months ago and neglected to post it.
> Solaris 2.6 is affected as well.  A lock file locksuntechd is created
> in /tmp mode 666 owned by root and group root.  I think the program is
> lmgrd FLEXlm v2.26d that is causing the problems, either that or suntechd.
>
> %ls -la /tmp/locksuntechd
> -rw-rw-rw-  1 root      root        0 Oct 22 12:51 locksuntechd
>
> suntechd is in /opt/SUNWspro/SunTech_License/bin/
>
> there is a log file that contains some stuff about when the daemon is
> going up or down and also if users are exploiting it you can see entries
> about the lock file not being available.  It is in
> /opt/SUNWspro/SunTech_License/license.log
>
> So to exploit it, just remove the locksuntechd file and replace it with a
> symlink to a file you want to create.  It will not overwrite existing
> files from the testing that i did.  Then the link is followed and the new
> file is created with mode 666 ownership root.  You can then delete the
> symlink and create a new one to somewhere else and it will work again and
> again and again...what fun.  Users could create .rhosts files, new system
> webpages, new trojan binaries with names spelled slightly off that get
> misspelled often (finger-fineger, pine-pien, ls-sl)  come on.. tell me
> you never typed one of those out wrong while you were typing fast!
>

The version of flexlm your using is ancient. The current version is 6.1.
A large number of vulnerabilities in flexlm were made public in Sep 1996.
This includes the file permission races in /var/tmp that have been highlighted
here.
The bottom line is flexlm should NOT be run as root.

See http://www.globetrotter.com/auscert.htm for the advisory.

Regards
Peter Marelas
--
   /\    The Fulcrum Consulting Group               Peter Marelas - Consultant
  /\O\   Professional Services For Operation      Peter.Marelasat_private
 /   /\  Of A Networked Computing Environment              ph: +61-3-9621-2100
/o   | \ 12/10-16 Queen St, Melbourne VIC 3000, Australia  fx: +61-3-9621-2724

Next message: Diligence Risks: "Firewall-1 Security Advisory"
Previous message: Michael Stone: "Re: Netscape "What's Related""
Maybe in reply to: Joel Eriksson: "License Manager's lockfiles (Solaris 2.5.1)"
Next in thread: Casper Dik: "Re: License Manager's lockfiles (Solaris 2.5.1)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:21:04 PDT