Re: ISS Security Advisory: Insecure call of external programs in Red Hat Linux tmpwatch

[Alfred Perlstein <bright () WINTELCOM NET>]

* X-Force <xforce () ISS NET> [001008 12:30] wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Internet Security Systems Security Advisory
> October 6, 2000
>
> Insecure call of external programs in Red Hat Linux tmpwatch
>
> Synopsis:
>
> The tmpwatch utility is used in Red Hat Linux to remove temporary files. This
> utility has an option to call the "fuser" program, which verifies if a file is
> currently opened by a process. The fuser program is invoked within tmpwatch by
> calling the system() library subroutine. Insecure handling of the arguments to
> this subroutine could potentially allow an attacker to execute arbitrary
> commands.
>
> Credits:
>
> This vulnerability was discovered and researched by Allen Wilson and Aaron
> Campbell of the ISS X-Force.
>
> The vendor contact in regards to this vulnerability was performed with the
> help of the SecurityFocus.com Vulnerability Help Team. For more
> information or assistance drafting advisories please mail
> vulnhelp () securityfocus com.

T ALEPH1 PLZ ALLOW POSTS FROM NORMAL USERZ AND NOT JUST SKRIPT
KIDDIEZ AND HAXX0RS WITH 31337 GROUP NAMEZ, K THNX.

translation:  Aleph, I posted about this almost a month ago, but
you didn't let it through, please take the time to review my posts,
I don't have the time to start any security groups nor do I wish
to send gr33tz to any of my friends on irc, I just want my comments
to be known.

> From bright () wintelcom net Sat Sep  9 14:39:41 2000
Date: Sat, 9 Sep 2000 14:39:41 -0700
From: Alfred Perlstein <bright () wintelcom net>
To: zenith parsec <zenith_parsec () THE-ASTRONAUT COM>
Cc: BUGTRAQ () SECURITYFOCUS COM
Subject: execute arbitrary commands with tmpwatch? Re: tmpwatch: local DoS : for
k()bomb as root
Message-ID: <20000909143941.W12231 () fw wintelcom net>
References: <20000909105828.20274.qmail () fiver freemessage com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.4i
In-Reply-To: <20000909105828.20274.qmail () fiver freemessage com>; from zenith_par
sec () THE-ASTRONAUT COM on Sat, Sep 09, 2000 at 10:58:28AM -0000
Status: RO
Content-Length: 1588
Lines: 60

* zenith parsec <zenith_parsec () THE-ASTRONAUT COM> [000909 08:17] wrote:
> sent through bugzilla.redhat.com
> no reply from responsible person.
> here it goes.
>
> Local DoS in /usr/sbin/tmpwatch.  root fork()bombs himself.

...

> # chmod 400 /etc/cron.daily/tmpwatch
> # chmod 400 /usr/sbin/tmpwatch
> #
>
>
> oh yeah.
>
> slocate also segfaults on that directory.
>
> $ ./a
> to delete all the ./A/A/A/A/..... directories you own.
>
> i hope.

This is cute, where is the bugfix though?

> From a copy of the program (version 2.2):

  /* Do everything in a child process so we don't have to chdir(".."),
     which would lead to a race condition. fork() on Linux is very efficient
     so this shouldn't be a big deal (probably just a exception on one page
     of stack, not bad). I should probably just keep a directory stack
     and fchdir() back up it, but it's not worth changing now. */

1) hahahahahaha
2) this utility should be rewriten to just run its checks on the
   output from find which is a utility that's most likely smarter
   and proven about directory traversal than this thing.

Also:

              snprintf(cmd, 255, "/sbin/fuser %s/%s > /dev/null 2>&1",
                       dirname, ent->d_name);

USE SIZEOF DAMMIT.

sheesh!

Waitasec... there _could_ be a problem here...

touch '/tmp/;chmod 4755 $SHELL'

oops. :)

I don't run linux so I can't test this easily, maybe someone else can
confirm it and let me know?

thanks,
--
-Alfred Perlstein - [bright () wintelcom net|alfred () freebsd org]
"I have the heart of a child; I keep it in a jar on my desk."