Fyodor writes ("ISS install.iss security hole"):
> # Only root can pass the next four operations.
> # Yes it's ugly - BUT IT WORKS!
> touch /tmp/.root.$$ >> /dev/null 2>&1
> chmod 600 /tmp/.root.$$ >> /dev/null 2>&1
>
> Obviously this is vulnerable to the standard tmp-symlink problem. And
> they don't even look for the file first, so there is no need to worry
> about exploiting race conditions -- just stick the 65K symlinks in /tmp
> and wait for root to install ISS (you might have to wait a while ;). I've
> tested that you can chmod whatever file you want to 600. This could make
> for an easy DOS, but off the top of my head I don't see much more exploit
> potential.
There is a second problem, but it's not as obvious.
The 'touch' program first calls stat() to check if the file exists.
If it does, it calls utime() to update the timestamps; if it doesn't,
it calls fopen(filename, "w"). fopen will call creat() (or equivalent),
truncating the named file.
If you can predict the filename given to 'touch' (hard in this case,
but definately possible with other scripts), you can create a symlink
between the stat() and the creat() system calls and truncate any file
on the system.
(Not bad - two security holes in two lines...)
Peter Benie
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:37:16 PDT