[SNS Advisory No.37] HTTProtect allows attackers to change the protected file using a symlink

From: snsadvat_private
Date: Wed Jul 18 2001 - 22:18:44 PDT

Next message: Marc Maiffret: "Full analysis of the .ida "Code Red" worm."

Previous message: Marc Maiffret: "RE: IIS5 .idq exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----------------------------------------------------------------------
SNS Advisory No.37
HTTProtect allows attackers to change the protected file using a symlink

Problem first discovered: Mon, 4 Jun 2001
Published: Wed, 18 Jul 2001
----------------------------------------------------------------------

Overview
---------
HTTProtect is a security product released by Omnisecure
(http://www.ominisecure.com) which prevents users from changing
and deleting file on the ext2 file system.

Even if attackers gain root privilege, it prevents them from
changing or deleting protected files.
But there is a problem which attackers can change protected files
bypassing the access-control.

Problem Description
-------------------
Even if attackers have the root privilege, protected files cannot
be changed, but they can change protected files under these conditions:

1.Attackers can make symlink in a writable directory(ex. /tmp)
2.They are the owner of the target file or they have root privilege.

example: (A protected file is /opt/www/html/index.html)
  $ ln -s /opt/www/html/index.html /tmp/foo
  $ vi /tmp/foo (cat /tmp/hack.html > /tmp/foo)

Tested Version
--------------
HTTProtect 1.1.1

Tested on
---------
RedHatLinux 6.2-J(Kernel 2.2.14-50)

Status of fixes
---------------
Patch is available on Omnisecure Web site now.
$B!J(Bhttp://www.omnisecure.com/products/http/Linux/1.1.1/index.htm\27$B!K\27(B

Discovered by
-------------
 (TANIDA Fusao / LAC)$B!!(Btanidaat_private

Disclaimer
----------
  All information in these advisories are subject to change without any 
  advanced notices neither mutual consensus, and each of them is
  released as it is. LAC Co.,Ltd. is not responsible for any risks of
  occurrences caused by applying those information.

References
----------
  Archive of this advisory:
  http://www.lac.co.jp/security/english/snsadv_e/37_e.html

------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadvat_private>
Computer Security Laboratory, LAC  http://www.lac.co.jp/security/

Next message: Marc Maiffret: "Full analysis of the .ida "Code Red" worm."
Previous message: Marc Maiffret: "RE: IIS5 .idq exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 22:22:53 PDT