StarOffice temporary directory Vulnerability (/tmp/soffice.tmp) ------------------------------------------------------------------------ SUMMARY StarOffice creates a temporary directory under /tmp with the name "soffice.tmp" and permissions 0777. Those permissions allow attackers to launch attacks ranging from reading other user's local files to planting Trojans that will be executed by the other users of StartOffice. DETAILS Vulnerable systems: StarOffice 5.2 StarOffice creates a temporary directory in /tmp/soffice.tmp and explicitly sets access permissions to 0777. Therefore, if user A were to create a symbolic link to any file owned by user B, and if user B were to run StarOffice, the target of the link will become 0777. As a result, if the directory containing this target is accessible by user A, he will have complete control over the target file. Some trivially exploitable scenarios here include: - Gaining access to sensitive files (e.g., encrypted files or those containing private keys) - Making user B's mail spool file world read/write-able - Linking to a shell start-up file (e.g., ~/.profile, ~/.bashrc, ~/.cshrc etc.) which will become world read/write-able and hence can be modified to execute whatever user A wants next time user B logs in. Note that there is no race condition here, the sym link just needs to be made before the victim runs StarOffice. There is also no issue in guessing the temporary directory name - it is always "soffice.tmp". Also, user B has is no indication that anything has gone wrong. StarOffice performs as usual while being attacked giving no error message or such. The only two restrictions that were found is that the target file must be in a directory accessible by the attacker (otherwise its 0777 perms are not that useful) and the target must not have executable permission set. Impact: The impact of this vulnerability is quite significant on any system that serves multiple users, since every user can gain control over other user's accounts provided the targets use StartOffice. Workaround: A workaround is to create a symbolic link from /tmp/soffice.tmp to a directory inside the your home directory which is inaccessible to anyone but yourself. Doing this before running StarOffice would seem to protect against the vulnerability and this could be written into a simple shell script wrapper. -- Eko Sulistiono MIKRODATA & AntiVirus Media Web: http://www.mikrodata.co.id/ WAP: http://www.mikrodata.co.id/wap/index.wml This message contains no viruses. Guaranteed by AVP. ------------------------------------------------------------------------ Forum Komunikasi Penulis-Pembaca MIKRODATA (FKPPM) Informasi : http:[EMAIL PROTECTED] Arsip : http://www.mail-archive.com/forum%40mikrodata.co.id/ WAP : http://mikrodata.co.id/wap/index.wml Milis ini menjadi kontribusi beberapa rubrik yang diasuh tim MIKRODATA. Termasuk rubrik-rubrik yang ada di media lain. Memakai, Menyebarluaskan, dan Memperbanyak software bajakan adalah tindakan kriminal. Please check with the latest AVP update before you ask about virus: ftp://mikrodata.co.id/avirus_&_security/AntiViral_Toolkit_Pro/avp30.zip
