author: l0om email: email:l0om | a7 | excluded d07 org page: www.excluded.org worring about YaST in SuSE 9.3 and maybe lower iam wondering about the installation routine from SuSE linux 9.3 and maybe some lower verisons. YaST is creating a directory named "/var/adm/YaST/InstSrcManager/IS_CACHE_0x0000000X/DATA/descr" which is worldwritable by default. the directory contains data like packagenames and pathnames needed for YaST if you install software. for normal this directory shouldnt be writable by everyone because if you change the install media a new "IS_CACHE_0x0000000X/DATA/descr" is created which isnt worldwritable. so you may be able to poising the data which is viewd by root while he is trying to install data. the following data may be changed for example (file "packages"): ##---------------------------------------- =Pkg: 3ddiag 0.724 3 i586 +Req: /bin/sh rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(CompressedFileNames) <= 3.0.4-1 /bin/sh libc.so.6 libc.so.6(GLIBC_2.0) libhd.so.10 libsysfs.so.1 rpmlib(PayloadIsBzip2) <= 3.0.5-1 -Req: +Prq: /bin/sh rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(PayloadIsBzip2) <= 3.0.5-1 -Prq: +Prv: 3ddiag = 0.724-3 -Prv: =Grp: System/Base =Lic: GPL =Src: 3ddiag 0.724 3 src =Tim: 1111489970 =Loc: 1 3ddiag-0.724-3.i586.rpm =Siz: 28015 46735 +Aut: Stefan Dirsch <sndirsch@xxxxxxx> -Aut: ##---------------------------------------- thats the information for one package. change the rpms path to somethin like "../../../" isnt possible cause its filterd. for sure you can simply prevent the admin installing new software with YaST if you destroy the "packages" file but i have noted somethin else too. if you change the "=Loc" parameter e.g. to the following: =Loc: 1 AAAAAAAA["A"x515]AAA3ddiag-0.724-3.i586.rpm and the administrator is trying to install the package it will end in a Segmentation Fault that may be exploitable for an attacker. --- root:~# yast [trys to install some stuff] sbin/yast: line 207: 8447 Speicherzugriffsfehler (core dumped) $ybindir/y2base menu ncurses badass@linux:~> gdb /usr/lib/YaST2/bin/y2base core.8447 -q [...] Reading symbols from /usr/lib/libncursesw.so.5...done. Loaded symbols for /usr/lib/libncursesw.so.5 Reading symbols from /usr/lib/libpanelw.so.5...done. Loaded symbols for /usr/lib/libpanelw.so.5 Reading symbols from /usr/lib/YaST2/plugin/libpy2ag_system.so.2...done. Loaded symbols for /usr/lib/YaST2/plugin/libpy2ag_system.so.2 Reading symbols from /usr/lib/YaST2/plugin/libpy2ag_ini.so.2...done. Loaded symbols for /usr/lib/YaST2/plugin/libpy2ag_ini.so.2 Reading symbols from /usr/lib/YaST2/plugin/libpy2Pkg.so.2...done. Loaded symbols for /usr/lib/YaST2/plugin/libpy2Pkg.so.2 Reading symbols from /usr/lib/YaST2/plugin/libpy2ag_xml.so.2...done. Loaded symbols for /usr/lib/YaST2/plugin/libpy2ag_xml.so.2 Reading symbols from /usr/lib/libxml2.so.2...done. Loaded symbols for /usr/lib/libxml2.so.2 Reading symbols from /usr/lib/YaST2/plugin/libpy2ag_hwprobe.so.2...done. Loaded symbols for /usr/lib/YaST2/plugin/libpy2ag_hwprobe.so.2 Reading symbols from /lib/libhd.so.10...done. Loaded symbols for /lib/libhd.so.10 Reading symbols from /lib/libsysfs.so.1...done. Loaded symbols for /lib/libsysfs.so.1 Reading symbols from /usr/lib/libiw.so.28...done. Loaded symbols for /usr/lib/libiw.so.28 #0 0xffffe410 in ?? () (gdb) i r eax 0x1 1 ecx 0x4010d9e9 1074846185 edx 0x1 1 ebx 0x7 7 esp 0x4127c3a4 0x4127c3a4 ebp 0x4127c3d8 0x4127c3d8 esi 0x80ef104 135196932 edi 0x80ef0d8 135196888 eip 0xffffe410 0xffffe410 eflags 0x293 659 cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 ----- as there is no need to have the directory worldwritable it should be chmoded to somethin different.
