Dangerous temp file creation during installation of Netscape 6.

From: Larry W. Cashdollar (lwcat_private)
Date: Mon Aug 27 2001 - 10:55:27 PDT

Next message: Will Bryant: "Re: Eudora MUA: Risky practice"

Previous message: X-Force: "ISS Advisory: Remote Buffer Overflow Vulnerability in HP-UX Line Printer Daemon"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

During installation of Netscape 6.01a for Solaris 2.7/8 Sparc, I noticed
the file /tmp/admin.3842 was created with mode 644.  As you already know
if this package is installed by root in multiuser mode a malicious user
could use this to overwrite system files etc..

Here is the dangerous code: 

# grep tmp ns6install
cat >/tmp/admin.$$ <<EOF
                        /usr/sbin/pkgrm -n -a /tmp/admin.$$ ${pkg}.* 2>&1
        /usr/sbin/pkgadd -n -a /tmp/admin.$$ -d `pwd` $pkg 2>&1
# 


A temporary work around would be to shut the system down into single user
mode, clean out /tmp and then install.

In reference too:

http://www.sun.com/solaris/netscape/index.html


-- Larry
   http://vapid.dhs.org:8080

Next message: Will Bryant: "Re: Eudora MUA: Risky practice"
Previous message: X-Force: "ISS Advisory: Remote Buffer Overflow Vulnerability in HP-UX Line Printer Daemon"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 27 2001 - 11:18:23 PDT