Security Bug in InoculateIT for Linux (fwd)

[Chris Wilson <chris () camcom co uk>]

Dear Bugtraq Readers,

We believe we have discovered a security flaw (a /tmp race condition) in
Computer Associates' InoculateIT product, a good virus scanner for
Microsoft and UNIX platforms which is free for personal use. The
vulnerability allows local users to deny service to the system or possibly
gain root privileges.

The vulnerability affects some UNIX versions of InoculateIT under certain
conditions. Although we tested the Linux version, this version is not
vulnerable under normal circumstances. However, we believe that other UNIX
versions are basically identical and, given the necessary directory
layout, will be vulnerable to this attack.

We notified the vendor (www.ca.com) on Thursday 17th May (over one week
ago) and have received no response, so in accordance with RFPolicy
(http://www.wiretrip.net/rfp/policy.html) we are making this information
public. Please find the advisory below.

Please note that the advisory contains a small mistake. We have discovered
that it is not possible, as previously thought, to overwrite any file on
the system with arbitrary contents, only with the contents of an FTP
download or error message. We believe that this mitigates the risk of
exploitation, but we could be wrong.

I wish vendors would reply to their e-mail, but I guess that would be
asking too much.

Ciao, Chris.
-- 
   ___ __     _
 / __// / ,__(_)_  | Chris Wilson <chris () camcom co uk> | +44 1223 576 516 |
/ (_ / ,\/ _/ /_ \ | Lead Developer - Firewall Systems | www.camcom.co.uk |
\ _//_/_/_//_/___/ | Unix Systems and Network Engineer +-- Cambridge UK --+

---------- Forwarded message ----------
Date: Thu, 17 May 2001 17:02:52 +0100 (BST)
From: Chris Wilson <chris () camcom co uk>
To: support () ca com, security () ca com, info () ca com, security-alert () ca com,
     secure () ca com
Cc: john () camcom co uk, mark () camcom co uk
Subject: Security Bug in InoculateIT for Linux

Dear Sirs,

I believe there is a vulnerability in InoculateIT for Linux, and probably
other Unix versions of InoculateIT, which allows local non-root users to
delete any file on the system, and under some circumstances to overwrite
any file on the system, next time the "update_signature" is run by root.
If the recommendations in the documentation are followed, this will happen
every day at 1am.

The update_signature script, at least in the Linux version, calls
ftpdownload to retrieve an updated version of itself. ftpdownload contains
a security vulnerability, and update_signature contains a self-destruct
mechanism.

1. Insecure temporary files.
============================

ftpdownload contains the following lines:

  wlog=/tmp/ftpdownload.log
  ...
      $CAIGLBL0000/ino/bin/wget $URL -O $LOCAL_FN > $wlog 2>&1

Because the temporary file /tmp/ftpdownload.log has a well-known,
non-random name and is created in a public /tmp directory, any user can
create a symbolic link from /tmp/ftpdownload.tmp to another file on the
system, and that file will be overwritten. This requires two
preconditions:

a) $CAIGLBL0000/ino/bin/wget must exist, otherwise wget is not run.
b) ftpdownload is run as root

If these preconditions are met, and /tmp/ftpdownload.log is a symbolic
link to, say, /etc/passwd, then that file will be overwritten next time
ftpdownload is run. This may happen automatically, since the README file
gives instructions for installing it as a cron job which executes
automatically every day at 1am. The result is at least a denial of
service, and quite possibly a root compromise if you overwrite the correct
file.

The solution is to modify the script to store the log file in a secure
temp directory, for example:

  wlog=$LOCAL_FN.log


2. Self-Destruct in update_signature.
=====================================

update_signature helpfully renames the current InoculateIT files with a
.prev extension before downloading an update, in case the updated files
are corrupt or do not work for some reason. However, in the event of a
download failure, the .prev files are not restored to their original
named. The virus scanner will then refuse to run unless these files are
renamed manually, or update_singature.prev is run manually to download a
new copy.

An automatic update might fail for a number of reasons, for example if the
user's Internet connection has failed, is busy, or is under a
denial-of-service attack, or if CA's server crashed, was cracked, or was
under heavy load (e.g. around 1am =).

The solution is to change this code:

    else
        echo "Error $? during tar extract"
        exit 16
    fi

to:

    else
        echo "Error $? during tar extract"
        for i in inocucmd virsig.dat README.txt update_signature ftpdownload $id_file; do
                mv -f $i.prev $i
        done
        exit 16
    fi

This advisory notice is RFpolicy compliant
(http://www.wiretrip.net/rfp/policy.html). Unless you contact us first,
we intend to publish this advisory at 9:00am GMT on the 25th May 2001 (five
working days). But please don't make us do that.

Yours sincerely,

Chris Wilson.
-- 
   ___ __     _
 / __// / ,__(_)_  | Chris Wilson <chris () camcom co uk> | +44 1223 576 516 |
/ (_ / ,\/ _/ /_ \ | Lead Developer - Firewall Systems | www.camcom.co.uk |
\ _//_/_/_//_/___/ | Unix Systems and Network Engineer +-- Cambridge UK --+