SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   ScrollKeeper Vendors:   scrollkeeper.sourceforge.net
ScrollKeeper Cataloging System Unsafe Use of Temporary Files May Let Local Users Gain Root Access
SecurityTracker Alert ID:  1005168
SecurityTracker URL:  http://securitytracker.com/id/1005168
CVE Reference:   CAN-2002-0662   (Links to External Site)
Date:  Sep 2 2002
Impact:   Denial of service via local system, Modification of system information, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 0.3.4, 0.3.11
Description:   An access control vulnerability was reported in ScrollKeeper. A local user may be able to gain root access on the system when temporary files are written.

The vulnerability reportedly exists in the 'scrollkeeper-get-cl' program that is used to obtain a category tree. The category tree content list is passed to the requestor through temporary files in /tmp directory, but no security checks are performed when the content list is written. According to the report, the content list is written with the privileges of the requesting users.

A local user could create a symbolic link from a temporary file name to another critical file on the system. It is reported that the file names are of the form:

/tmp/scrollkeeper-tempfile.{0,1,2,3,4}

Then, when ScrollKeeper is invoked by a privileged user, the linked file may be written to with the privileges of the calling user.

A demonstration exploit scenario is described in the Source Message.

Impact:   A local user may be able to cause arbitrary files to be written to or overwritten with the privileges of another user if the other user can be made to invoke ScrollKeeper.
Solution:   The vendor has reportedly released a fixed version.

[Editor's note: At the time of this entry, the latest version available was 0.3.11, which is reported to be vulnerable. It is possible that the fix is in the CVS version, but that has not been verified:

http://scrollkeeper.sourceforge.net/cvs.shtml]

Vendor URL:  scrollkeeper.sourceforge.net/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Red Hat Issues Fix) Re: ScrollKeeper Cataloging System Unsafe Use of Temporary Files May Let Local Users Gain Root Access   (bugzilla@redhat.com)
Red Hat has issued a fix.
(Debian Issues Fix) ScrollKeeper Cataloging System Unsafe Use of Temporary Files May Let Local Users Gain Root Access   (joey@infodrom.org (Martin Schulze))
Debian has released a fix.



 Source Message Contents

Date:  Mon, 2 Sep 2002 13:59:00 +0200 (CEST)
Subject:  The ScrollKeeper Root Trap




Release date	: September 2  2002
Author		: Spybreak (spybreak@host.sk)
Package		: Scrollkeeper
Version		: 0.3.4, 0.3.11
Severity	: Medium to High
Vendor homepage : scrollkeeper.sourceforge.net
Status          : vendor contacted
Problem		: Insecure creation of tempfiles in /tmp
Local		: yes
Remote		: no




1.) INTRODUCTION

ScrollKeeper is a system for managing document metadata. Its primary function
is to act as a card catalog for documents, keeping track of what documents
are available, where  they  can be found, and various attributes of the
documents such as their language, format, subject, version, and position in
a contents list. It also manages other metadata such as document indices.

ScrollKeeper acts as a middle layer between applications and help browsers.
When applications install documentation, the documentation is registered
with ScrollKeeper. Any ScrollKeeper-aware help browser on the system can then
access this information. In this way, ScrollKeeper is a compatibility layer
which allows any help browser to interface to all the documentation on
a system, provided the package which ships the documentation registers it
with ScrollKeeper.


2.) PROBLEM DESCRIPTION

The ScrolKeeper package contains a program named scrollkeeper-get-cl
that is called through other auxilliary programs by ScrollKeeper-aware
browsers to get a category tree.

The content list is then passed to the requestor through tempfiles in the
/tmp directory.

Unfortunately, there are no security checks when the content list is
written. Since the files are written with the rights of the requestor,
her files can be overwritten or new files created.


3.) PROOF OF CONCEPT EXPLOIT

Example of root exploitation for ScrollKeeper 0.3.4 on Red Hat 7.3,
default install:

First, scrollkeeper-get-cl is called everytime the Nautilus browser is
started. Second, to start the Nautilus browser on the X startup is
a default behavior on RH 7.3.

The ScrollKeeper cycles through five temporary filenames (slots) of the
form /tmp/scrollkeeper-tempfile.{0,1,2,3,4} and uses the first one that
does not exist or the oldest one.
As we have little control over what is written into the tempfiles, we have
to exploit the fact, that we can create a file with name we choose,
anywhere on the filesystem.

Link like this does the work:

ln -s /etc/log.d/scripts/logfiles/xferlog/'`useradd -rou0 -g0 -p "" yeah`'
/tmp/scrollkeeper-tempfile.x

Remember, Logwatch is our friend, still.
In fact, our scrollkeeper-tempfile.x slot will be the one used by
ScrollKeeper, if x has a value 0 or 1, or the previous slots have an
ascending c-times. It's because our symlink pointing to a nonexisting
file is always considered to be an empty slot, since stat is used for
status checking instead of lstat.

Two problems arise:

a) lack of free slots
b) we need a privileged user to make an X session

Solutions:

a) since the ScrollKeeper does not any cleanup of these files
   it can be a problem but tmpwatch is our friend too, everything depends
   on the X login activity; many admins clean their /tmp dir by custom
   scripts on every system startup
b) using X window system as root is a really silly behavior,
   but it happens too often; the /var/log/wtmp* files and a quick
   check on the presence of some X-Files ;-) in the /tmp directory
   may give a clue about such behavior


4.) REMEDY

Upgrade to the latest, patched version.


5.) ADDITIONAL INFO

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0662 to this issue.




Public key:
http://spybreak.host.sk

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC