ARCserve symlink vulnerability

From: NAI Labs (seclabsat_private)
Date: Wed Feb 16 2000 - 10:56:48 PST

Next message: NAI Labs: "Remote Vulnerability in the MMDF SMTP Daemon"

Previous message: Bill McKinnon: "Re: perl-cgi hole in UltimateBB by Infopop Corp."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

======================================================================

                      Network Associates, Inc.
                        SECURITY ADVISORY
                        February 15, 2000

                  ARCserve symlink vulnerability

======================================================================

SYNOPSIS

An implementation fault in the ARCserve agent script allows local
attackers to obtain root privileges and overwrite/insert data into
arbitrary files.

======================================================================

VULNERABLE HOSTS

This vulnerability has been confirmed and is known to be exploitable
under Unixware 7.1.0

======================================================================

TECHNICAL DETAILS

A script responsible for starting up the ARCserve agent creates
multiple world writeable statically named temp files. An attacker can
remove these files and create symlinks to other files on the system
allowing him to create root owned world writeable files or overwrite
any file on the system. It is also possible for the attacker to
insert any data he wishes to the files he overwrites due to the
nature of the configuration/tempfile system.

======================================================================

COMMENTS

ARCserve agent is installed and running by default.

======================================================================

RESOLUTION

SCO has developed a patch to address this issue.  More information is
available at:  http://www.sco.com/security.

======================================================================

CREDITS

Discovery and documentation of this vulnerability was conducted
by Shawn Bracken at the Security Research Labs of Network Associates.

======================================================================

ABOUT THE NETWORK ASSOCIATES SECURITY LABS

The Security Labs at Network Associates hosts some of the most
important research in computer security today. With over 30
security advisories published in the last 2 years, the Network
Associates security research teams have been responsible for the
discovery of many of the Internet's most serious security flaws.
This advisory represents our ongoing commitment to provide
critical information to the security community.

For more information about the Security Labs at Network
Associates, see our website at http://www.nai.com or contact us
at <seclabsat_private>.

======================================================================

NETWORK ASSOCIATES SECURITY LABS PGP KEY

- - -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 5.5.5

mQGiBDXGgDsRBADVOnID6BtEhKlm2cNalho28YP0JAh+J4iRUIaiWshzI0tc0KPc
fvs+0xYwiqjxmeHi2sdIEPQ7S+ltA3Dlp6/DFojWBr2XB9hfWy4uiKBUHqnsKYnB
Gpkh6nIx7DIwn+u0PXMXbJCG3LYf8daiPVdzC2VFtbRvJL4wZc6NLQViFQCg/9uS
DuH/0NE6mO8Cu4iVrUT5Wk8D/ArOpV5T5yIuXHZO1/ZBVeHccVVvHe8wHK4D9WUs
FsB8fgYLNgdFMMjtam7QQSBY/P1KKBzaFqZhkfS4WVMAFEy94NHXG+KTCPhXkZzp
OPPqwWqZgfvOg0Bm20O/GhzQkB6JfFJqcfR87Ej0+fcDKrTTxAELWHGS7c9Qdn6P
bfwHA/4oLNwYrtgWNkjGcG018Pu2jKT7YuP9zBTMu28IBiWdPLGL9Wle4d5cdDVx
Es4iVl8FMtxlgTWCgMnBLS4nyM3pCn1HF+8Gi+IVKUXWCkqt/rtBMsrOMfrOgEIu
BWnTZcTR7kcWtH7xDFNyZ47U4pElLXwATVDty/FczAJnpeht2LQyTmV0d29yayBB
c3NvY2lhdGVzIFNlY3VyaXR5IExhYnMgPHNlY2xhYnNAbmFpLmNvbT6JAEsEEBEC
AAsFAjXGgDsECwMCAQAKCRCheCy6j9WBEtgDAKDpYMwQZP0Ipx7X0ivnTxxJkA/W
vACg4LZv0lmWqmnd7XCe4OIJ05aT6hK5Ag0ENcaAOxAIAPZCV7cIfwgXcqK61qlC
8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh
01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscB
qtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFst
jvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISn
CnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVeky
CzsAAgIH/RZcJoRkhCf9O4Er+rciBNG3QqM3tek23oxGuVwqRxtGlGKuf+YaUDIA
vZhARftupZYJf/+AM9pyjjsF7ON/Df5oIXXhqzrDySw47dNB3I1FG7vwAUBRfYgG
NRP+zvf1nld+FgAXag1DIQteXYPtoMUJP8ZgvbELYVdZS2TapOHUv7r4rOY+UUjl
U+FkQPp9KCNreaNux4NxwT3tzXl1KqqkliC8sYxvMCkJ+JO71TKGplO9dXsf3O8p
2r33+LngmLs4O7inrUlmAUKq3jmCK50J7RsZjd6PlK/0JwcjFkOZeYrxTguZzCR4
QYmo8nEHqEMSKQci0VUf9KH4lHf6xmGJAEYEGBECAAYFAjXGgDsACgkQoXgsuo/V
gRK5LACgoAqLFk10kAMu6xb3ftO4+INJs14Ani+1hujlYRxYphN97c5ci8WtILNZ
=L3C6
- - ----

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
Comment: Crypto Provided by Network Associates <http://www.nai.com>

iQA/AwUBOKry8KF4LLqP1YESEQKuugCfVHdg3dIqQTf6p7PIjBKEhOfu4oYAoNwX
d8IQhNZE4qWWr3l76aE8vxQs
=T0a1
-----END PGP SIGNATURE-----

Next message: NAI Labs: "Remote Vulnerability in the MMDF SMTP Daemon"
Previous message: Bill McKinnon: "Re: perl-cgi hole in UltimateBB by Infopop Corp."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:35:20 PDT