SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   S-PLUS Vendors:   Insightful Corporation
Insightful's S-PLUS Uses Unsafe Temporary Files That May Let Local Users Modify Files or Obtain Elevated Privileges
SecurityTracker Alert ID:  1005896
SecurityTracker URL:  http://securitytracker.com/id/1005896
CVE Reference:   CVE-2003-1279   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Jan 7 2003
Impact:   Execution of arbitrary code via local system, Modification of system information, Modification of user information, Root access via local system, User access via local system
Exploit Included:  Yes  

Description:   A vulnerability was reported in Insightful's S-PLUS statistical analysis package. A local user could modify files with elevated privileges.

It is reported that the main Sqpe binary and other shell script modules use files in the '/tmp' directory in an unsafe manner. A local user could create a symbolic link (symlink) from a critical file on the system to one of the temporary files (that has a semi-predictable file name). Then, when a target user invokes S-PLUS, the symlinked file will be overwritten by S-PLUS.

It may be possible for the local user to execute arbitrary commands by exploiting this, according to the report.

The vendor has reportedly been notified.

Impact:   A local user can cause files on the system to be overwritten with the privileges of the target user. A local user may be able to gain elevated privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.insightful.com/products/product.asp?PID=10 (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  S-plus /tmp usage


INTRODUCTION

S-PLUS is a Statistical analysis, graphics and programming tool
http://www.statsci.com/
http://www.insightful.com/


PROBLEM

As installed on UNIX machines, Splus uses files in /tmp in an unsafe way.


DETAILS

The main Sqpe binary, and various shell script modules, use files in /tmp:

splus/6.0/cmd/Sqpe
	Clobbers /tmp/__F$$:
	open("/tmp/__F8499", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3

splus/6.0/cmd/PRINT
	Clobbers /tmp/PRINT.$$.out

splus/6.0/cmd/mustfix.hlinks
	Clobbers /tmp/SUBST$PID.TXT /tmp/ed.cmds$PID

splus/6.0/cmd/sas_get
	May clobber and use /tmp/file.1 /tmp/file.2

splus/6.0/cmd/sas_vars
	May clobber and use /tmp/file.1

splus/6.0/cmd/sgml2html
	Clobbers /tmp/sgml2html$$tmp /tmp/sgml2html$$tmp1 /tmp/sgml2html$$tmp2

Suppose an attacker creates a symlink from any of the "clobbered" files to
one owned by the victim: guesses the PID that will be used, does

  ln -s ~victim/.profile /tmp/__F123

and waits for the victim to use Splus, then the victim's .profile will be
trashed. Some or all of these attacks may then be escalated to arbitrary
command execution; if root ever uses Splus then the damage is much greater.

It might be argued that it is hard to guess what PID will be used next.
It is easy enough to create a few thousand symlinks with likely PIDs; in
fact the attacker could create a symlink for every possible PID (as these
normally range from 0 to 32k or 64k).


VENDOR COMMUNICATION

 5 Dec 2002  StatSci/Insightful notified about shell scripts
 9 Dec 2002  Insightful notified about Sqpe
11 Dec 2002  We are currently investigating
17 Dec 2002  continuing to look into your queries
18 Dec 2002  anticipate tmpfile() ... in the next release
26 Dec 2002  Another list might be http://www.biostat.wustl.edu/s-news/


WORKAROUND/PATCH

The scripts could be patched trivially using one of the textbook methods,
e.g. using a safe directory:
  mkdir -m 700 /tmp/mydir$$ || exit 1
  ... do things to /tmp/mydir$$/myfile ...
  rm -rf /tmp/mydir$$

Fixing Sqpe is harder. Could (safely) pre-create /tmp/__F$$ e.g.:

*** splus/6.0/cmd/NEW.old	Tue Oct 10 16:06:37 2000
--- splus/6.0/cmd/NEW	Tue Dec 24 09:15:59 2002
***************
*** 9,13 ****
--- 9,19 ----
  then
  	echo $target not found; exit 1
  fi
+ set -e
+ umask 077
+ mkdir /tmp/F$$
+ touch /tmp/F$$/__F$$
+ mv -i /tmp/F$$/__F$$ /tmp </dev/null
+ rmdir /tmp/F$$
  exec $target
  
but Sqpe would still be open to races as it repeatedly open()s and
unlink()s that file. A proper fix will have to come from the vendor.


SIGNATURE

Paul Szabo - psz@maths.usyd.edu.au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC