Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
Etnus TotalView Source Debugger File Permission Settings May Let Local Users Obtain Elevated Privileges on the System
|
Date: Mar 26 2002
|
Impact: Execution of arbitrary code via local system, Modification of user information, Root access via local system, User access via local system
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 5.0.0-4
|
Description: A file permission vulnerability was reported in the Etnus TotalView source-level debugger. A local user could obtain elevated privileges on the system.
It is reported that the software installs files with improper ownership permissions, allowing a local user to obtain root privileges.
It
is reported that a local user with user id (uid) 5039 or with group id (gid) 59 can exploit the flaw to gain root access on the
system. The local user can modify the binaries or the symbolic links to those binaries so that when a root level user runs the
debugger, the local user's arbitrary code will be executed by the root level user instead of the TotalView binaries.
Some of
the file permission settings are shown in the Source Message.
|
Impact: A local user with the appropriate user id or group id could modify files or links on the system to replace TotalView binaries with arbitrary code. The arbitrary code would be executed whenever another user runs TotalView.
|
Solution: The vendor has reportedly released a fix. Contact the vendor for more information:
http://www.etnus.com/About/Contact/index.html
|
Vendor URL: www.etnus.com/Products/TotalView/ (Links to External Site)
|
Cause: Access control error, Configuration error
|
Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (SGI/IRIX), UNIX (Solaris - SunOS), UNIX (Tru64)
|
Reported By: "Andrew Griffiths" <nullptr@tasmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 26 Mar 2002 21:49:06 +1100 (EST)
From: "Andrew Griffiths" <nullptr@tasmail.com>
Subject: Etnus TotalView 5.
|
Program: Etnus TotalView
Version: 5.0.0-4
DESCRIPTION
-----------
TotalView is a multiprocess source-level debugger for programs written
in the C, C++, and Fortran programming languages. TotalView is part of
a suite of programming tools from Etnus, LLC.
PROBLEM
-------
Failed to install the files owned by root:root, which leads to possible root
comprise. If you have uid 5039, or can get it, or a gid of 59, or can get it,
you can exploit the condition.
VENDOR STATUS
-------------
Vendor was informed, and promptly fixed it; if affected you can download the new version.
The version tested was 5.0.0-4 for Linux. I don't know if affects any other versions.
DEMONSTRATION
-------------
[andrewg@blackhole advisories]$ ls -alF /usr/local/toolworks/
total 16
drwxrwxr-x 4 root root 4096 Mar 24 16:29 ./
drwxr-xr-x 19 root root 4096 Mar 24 16:29 ../
drwxrwxr-x 5 root root 4096 Mar 24 16:29 flexlm-6.1/
drwxrwxr-x 12 root root 4096 Mar 24 16:29 totalview.5.0.0-4/
[andrewg@blackhole advisories]$ ls -alF /usr/local/toolworks/totalview.5.0.0-4/
total 56
drwxrwxr-x 12 root root 4096 Mar 24 16:29 ./
drwxrwxr-x 4 root root 4096 Mar 24 16:29 ../
drwxrwxr-x 2 5039 59 4096 Mar 24 16:29 bin/
drwxrwxr-x 3 5039 59 12288 Jan 8 01:33 bitmaps/
drwxrwxr-x 2 5039 59 4096 Jan 8 01:36 fonts/
drwxrwxr-x 4 5039 59 4096 Feb 8 02:43 help/
drwxrwxr-x 2 5039 59 4096 Jan 9 06:31 include/
drwxrwxr-x 2 5039 59 4096 Jan 9 06:31 lib/
drwxrwxr-x 7 5039 59 4096 Jan 8 02:12 linux-x86/
drwxrwxr-x 3 5039 59 4096 Jan 8 01:36 man/
drwxrwxr-x 2 5039 59 4096 Jan 8 01:27 mri/
drwxrwxr-x 3 5039 59 4096 Jan 9 06:30 X11/
[andrewg@blackhole advisories]$ ls -alF /usr/local/toolworks/flexlm-6.1/
total 32
drwxrwxr-x 5 root root 4096 Mar 24 16:29 ./
drwxrwxr-x 4 root root 4096 Mar 24 16:29 ../
drwxrwxr-x 2 5039 59 4096 Jan 8 01:25 bin/
drwxrwxr-x 4 5039 59 4096 Jan 8 01:25 doc/
drwxrwxr-x 3 5039 59 4096 Jan 8 02:12 i386-linux/
-r--r--r-- 1 5039 59 228 Jan 8 01:24 license.opt.src
-r--r--r-- 1 5039 59 6959 Jan 8 01:24 README
[andrewg@blackhole advisories]$ ls -alF /usr/local/toolworks/flexlm-6.1/i386-linux/bin/
total 3244
drwxrwxr-x 2 5039 59 4096 Jan 8 02:12 ./
drwxrwxr-x 3 5039 59 4096 Jan 8 02:12 ../
-r-xr-xr-x 10 5039 59 260572 Jan 8 02:12 lmcksum*
-r-xr-xr-x 10 5039 59 260572 Jan 8 02:12 lmdiag*
-r-xr-xr-x 10 5039 59 260572 Jan 8 02:12 lmdown*
-r-xr-xr-x 1 5039 59 260244 Jan 8 02:12 lmgrd*
-r-xr-xr-x 10 5039 59 260572 Jan 8 02:12 lmhostid*
-r-xr-xr-x 10 5039 59 260572 Jan 8 02:12 lmremove*
-r-xr-xr-x 10 5039 59 260572 Jan 8 02:12 lmreread*
-r-xr-xr-x 10 5039 59 260572 Jan 8 02:12 lmstat*
-r-xr-xr-x 10 5039 59 260572 Jan 8 02:12 lmswitchr*
-r-xr-xr-x 10 5039 59 260572 Jan 8 02:12 lmutil*
-r-xr-xr-x 10 5039 59 260572 Jan 8 02:12 lmver*
-r-xr-xr-x 1 5039 59 377356 Jan 8 02:12 toolworks*
[andrewg@blackhole advisories]$ ls -alF /usr/local/toolworks/totalview.5.0.0-4/linux-x86/bin/
total 15960
drwxrwxr-x 2 5039 59 4096 Mar 24 16:29 ./
drwxrwxr-x 7 5039 59 4096 Jan 8 02:12 ../
-r-xr-xr-x 1 5039 59 4727166 Jan 8 02:15 hyperhelp*
lrwxrwxrwx 1 5039 59 13 Mar 24 16:29 totalview -> ../../bin/tv5*
lrwxrwxrwx 1 5039 59 16 Mar 24 16:29 totalviewcli -> ../../bin/tv5cli*
lrwxrwxrwx 1 5039 59 13 Mar 24 16:29 tv5 -> ../../bin/tv5*
lrwxrwxrwx 1 5039 59 16 Mar 24 16:29 tv5cli -> ../../bin/tv5cli*
-r-xr-xr-x 1 5039 59 3412128 Feb 5 01:00 tv5climain*
-r-xr-xr-x 1 5039 59 6005964 Feb 5 00:59 tv5main*
lrwxrwxrwx 1 5039 59 16 Mar 24 16:29 tvdsvr -> ../../bin/tvdsvr*
-r-xr-xr-x 1 5039 59 373208 Feb 5 01:00 tvdsvrmain*
-r-xr-xr-x 1 5039 59 1763856 Jan 8 02:16 vismain*
lrwxrwxrwx 1 5039 59 19 Mar 24 16:29 visualize -> ../../bin/visualize*
--
www.tasmail.com
|
|
Go to the Top of This SecurityTracker Archive Page
|
