Today I downloade the latest trial version of Internet Security Scanner for Linux (version 5.3). The install program (shell script) requires that you be root, even if you want to install ISS in your home directory. I decided to edit the script to comment out the root-check, and was rather shocked when I saw what they are doing in install.iss: # Only root can pass the next four operations. # Yes it's ugly - BUT IT WORKS! touch /tmp/.root.$$ >> /dev/null 2>&1 chmod 600 /tmp/.root.$$ >> /dev/null 2>&1 Obviously this is vulnerable to the standard tmp-symlink problem. And they don't even look for the file first, so there is no need to worry about exploiting race conditions -- just stick the 65K symlinks in /tmp and wait for root to install ISS (you might have to wait a while ;). I've tested that you can chmod whatever file you want to 600. This could make for an easy DOS, but off the top of my head I don't see much more exploit potential. While this is probably not going to be exploited much (if ever), it really concerns me that kindergarden-level security holes are still present in current mass market **security** software. Remember that ISS chooses not to offer us (or even paying customers!) the source code for their scanner. So we have to trust ISS programmers are highly competent and aware of secure coding issues. When I find problems like the one above without even looking for them, I have to wonder whether this trust is misplaced. Cheers, Fyodor PS (shameless plug): Version 2.08 of the nmap security scanner is available free, with source code, at http://www.insecure.org/nmap/ -- Fyodor 'finger pgpat_private | pgp -fka' "Girls are different from hacking. You can't just brute force them if all else fails." --SKiMo, quoted in _Underground_ (good book)
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:36:34 PDT