Dear Bugtraq Readers, We believe we have discovered a security flaw (a /tmp race condition) in Computer Associates' InoculateIT product, a good virus scanner for Microsoft and UNIX platforms which is free for personal use. The vulnerability allows local users to deny service to the system or possibly gain root privileges. The vulnerability affects some UNIX versions of InoculateIT under certain conditions. Although we tested the Linux version, this version is not vulnerable under normal circumstances. However, we believe that other UNIX versions are basically identical and, given the necessary directory layout, will be vulnerable to this attack. We notified the vendor (www.ca.com) on Thursday 17th May (over one week ago) and have received no response, so in accordance with RFPolicy (http://www.wiretrip.net/rfp/policy.html) we are making this information public. Please find the advisory below. Please note that the advisory contains a small mistake. We have discovered that it is not possible, as previously thought, to overwrite any file on the system with arbitrary contents, only with the contents of an FTP download or error message. We believe that this mitigates the risk of exploitation, but we could be wrong. I wish vendors would reply to their e-mail, but I guess that would be asking too much. Ciao, Chris. -- ___ __ _ / __// / ,__(_)_ | Chris Wilson <chrisat_private> | +44 1223 576 516 | / (_ / ,\/ _/ /_ \ | Lead Developer - Firewall Systems | www.camcom.co.uk | \ _//_/_/_//_/___/ | Unix Systems and Network Engineer +-- Cambridge UK --+ ---------- Forwarded message ---------- Date: Thu, 17 May 2001 17:02:52 +0100 (BST) From: Chris Wilson <chrisat_private> To: supportat_private, securityat_private, infoat_private, security-alertat_private, secureat_private Cc: johnat_private, markat_private Subject: Security Bug in InoculateIT for Linux Dear Sirs, I believe there is a vulnerability in InoculateIT for Linux, and probably other Unix versions of InoculateIT, which allows local non-root users to delete any file on the system, and under some circumstances to overwrite any file on the system, next time the "update_signature" is run by root. If the recommendations in the documentation are followed, this will happen every day at 1am. The update_signature script, at least in the Linux version, calls ftpdownload to retrieve an updated version of itself. ftpdownload contains a security vulnerability, and update_signature contains a self-destruct mechanism. 1. Insecure temporary files. ============================ ftpdownload contains the following lines: wlog=/tmp/ftpdownload.log ... $CAIGLBL0000/ino/bin/wget $URL -O $LOCAL_FN > $wlog 2>&1 Because the temporary file /tmp/ftpdownload.log has a well-known, non-random name and is created in a public /tmp directory, any user can create a symbolic link from /tmp/ftpdownload.tmp to another file on the system, and that file will be overwritten. This requires two preconditions: a) $CAIGLBL0000/ino/bin/wget must exist, otherwise wget is not run. b) ftpdownload is run as root If these preconditions are met, and /tmp/ftpdownload.log is a symbolic link to, say, /etc/passwd, then that file will be overwritten next time ftpdownload is run. This may happen automatically, since the README file gives instructions for installing it as a cron job which executes automatically every day at 1am. The result is at least a denial of service, and quite possibly a root compromise if you overwrite the correct file. The solution is to modify the script to store the log file in a secure temp directory, for example: wlog=$LOCAL_FN.log 2. Self-Destruct in update_signature. ===================================== update_signature helpfully renames the current InoculateIT files with a .prev extension before downloading an update, in case the updated files are corrupt or do not work for some reason. However, in the event of a download failure, the .prev files are not restored to their original named. The virus scanner will then refuse to run unless these files are renamed manually, or update_singature.prev is run manually to download a new copy. An automatic update might fail for a number of reasons, for example if the user's Internet connection has failed, is busy, or is under a denial-of-service attack, or if CA's server crashed, was cracked, or was under heavy load (e.g. around 1am =). The solution is to change this code: else echo "Error $? during tar extract" exit 16 fi to: else echo "Error $? during tar extract" for i in inocucmd virsig.dat README.txt update_signature ftpdownload $id_file; do mv -f $i.prev $i done exit 16 fi This advisory notice is RFpolicy compliant (http://www.wiretrip.net/rfp/policy.html). Unless you contact us first, we intend to publish this advisory at 9:00am GMT on the 25th May 2001 (five working days). But please don't make us do that. Yours sincerely, Chris Wilson. -- ___ __ _ / __// / ,__(_)_ | Chris Wilson <chrisat_private> | +44 1223 576 516 | / (_ / ,\/ _/ /_ \ | Lead Developer - Firewall Systems | www.camcom.co.uk | \ _//_/_/_//_/___/ | Unix Systems and Network Engineer +-- Cambridge UK --+
This archive was generated by hypermail 2b30 : Fri May 25 2001 - 16:46:51 PDT