Bugtraq mailing list archives
Re: ISS Security Advisory: Insecure call of external programs in Red Hat Linux tmpwatch
From: Alfred Perlstein <bright () WINTELCOM NET>
Date: Sun, 8 Oct 2000 16:20:24 -0700
* X-Force <xforce () ISS NET> [001008 12:30] wrote:
-----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Advisory October 6, 2000 Insecure call of external programs in Red Hat Linux tmpwatch Synopsis: The tmpwatch utility is used in Red Hat Linux to remove temporary files. This utility has an option to call the "fuser" program, which verifies if a file is currently opened by a process. The fuser program is invoked within tmpwatch by calling the system() library subroutine. Insecure handling of the arguments to this subroutine could potentially allow an attacker to execute arbitrary commands. Credits: This vulnerability was discovered and researched by Allen Wilson and Aaron Campbell of the ISS X-Force. The vendor contact in regards to this vulnerability was performed with the help of the SecurityFocus.com Vulnerability Help Team. For more information or assistance drafting advisories please mail vulnhelp () securityfocus com.
T ALEPH1 PLZ ALLOW POSTS FROM NORMAL USERZ AND NOT JUST SKRIPT KIDDIEZ AND HAXX0RS WITH 31337 GROUP NAMEZ, K THNX. translation: Aleph, I posted about this almost a month ago, but you didn't let it through, please take the time to review my posts, I don't have the time to start any security groups nor do I wish to send gr33tz to any of my friends on irc, I just want my comments to be known.
From bright () wintelcom net Sat Sep 9 14:39:41 2000
Date: Sat, 9 Sep 2000 14:39:41 -0700 From: Alfred Perlstein <bright () wintelcom net> To: zenith parsec <zenith_parsec () THE-ASTRONAUT COM> Cc: BUGTRAQ () SECURITYFOCUS COM Subject: execute arbitrary commands with tmpwatch? Re: tmpwatch: local DoS : for k()bomb as root Message-ID: <20000909143941.W12231 () fw wintelcom net> References: <20000909105828.20274.qmail () fiver freemessage com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <20000909105828.20274.qmail () fiver freemessage com>; from zenith_par sec () THE-ASTRONAUT COM on Sat, Sep 09, 2000 at 10:58:28AM -0000 Status: RO Content-Length: 1588 Lines: 60 * zenith parsec <zenith_parsec () THE-ASTRONAUT COM> [000909 08:17] wrote:
sent through bugzilla.redhat.com no reply from responsible person. here it goes. Local DoS in /usr/sbin/tmpwatch. root fork()bombs himself.
...
# chmod 400 /etc/cron.daily/tmpwatch # chmod 400 /usr/sbin/tmpwatch # oh yeah. slocate also segfaults on that directory. $ ./a to delete all the ./A/A/A/A/..... directories you own. i hope.
This is cute, where is the bugfix though?
From a copy of the program (version 2.2):
/* Do everything in a child process so we don't have to chdir(".."), which would lead to a race condition. fork() on Linux is very efficient so this shouldn't be a big deal (probably just a exception on one page of stack, not bad). I should probably just keep a directory stack and fchdir() back up it, but it's not worth changing now. */ 1) hahahahahaha 2) this utility should be rewriten to just run its checks on the output from find which is a utility that's most likely smarter and proven about directory traversal than this thing. Also: snprintf(cmd, 255, "/sbin/fuser %s/%s > /dev/null 2>&1", dirname, ent->d_name); USE SIZEOF DAMMIT. sheesh! Waitasec... there _could_ be a problem here... touch '/tmp/;chmod 4755 $SHELL' oops. :) I don't run linux so I can't test this easily, maybe someone else can confirm it and let me know? thanks, -- -Alfred Perlstein - [bright () wintelcom net|alfred () freebsd org] "I have the heart of a child; I keep it in a jar on my desk."
Current thread:
- ISS Security Advisory: Insecure call of external programs in Red Hat Linux tmpwatch X-Force (Oct 08)
- Re: ISS Security Advisory: Insecure call of external programs in Red Hat Linux tmpwatch Alfred Perlstein (Oct 09)