SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Fcheck Vendors:   Gumienny, Michael
Fcheck Security Utility May Execute Arbitrary Commands Supplied By Local Users
SecurityTracker Alert ID:  1001140
SecurityTracker URL:  http://securitytracker.com/id/1001140
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 22 2001
Impact:   Execution of arbitrary code via local system
Exploit Included:  Yes  
Version(s): probably all versions prior to 2.07.59
Description:   Local users can cause fcheck to execute arbitrary code. Fcheck is a freeware intrusion detection, policy enforcement, and auditing software package written in perl.

A local user can place a carefully crafted filename in a directory checked by fcheck that will cause commands to be executed with the privileges of the user running fcheck.

An open() statement is used with the '|' character causing some of the filename string to be interpolated, then sent to a command interpreter (a shell, such as sh, csh or bash) for execution.

The affected code is described in detail in the source message.

Impact:   A local user can cause fcheck to execute commands with the privileges of the user running fcheck.
Solution:   No solution was available at the time of this entry. The author of the source message makes some recommendations (see the source message).
Vendor URL:  www.geocities.com/fcheck2000/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  fcheck prior to 2.07.59 - vulnerability - improper use of perl


VULNERABLE:  Probably all versions prior to 2.07.59 - the author of fcheck
can't be bothered to note security fixes in his change log, but most
likely all prior versions had this vulnerability.

Vulnerability: by placing a carefully crafted filename in a directory
checked by vulnerable versions of fcheck, commands caan be executed with
the rights of the user running fcheck.


Discussion:


fcheck is a "poor man's tripwire" - it is a file integrity checker written
in perl.

To accomplish some functions, it uses external programs, such as md5,
md5sum and/or file.

These are accessed by issuing something on the order of:


     open(IN, "$program_name '$filename' |");
     $filesig = <IN>;
     close IN;


rest of the string to be interpolated, then sent to a command interpreter
(a shell, such as sh, csh or bash) for execution, with its output coupled
to the filehandle IN.

In the program under consideration, $program_name is under the control of
the person who configured fcheck (presumably root) but $filename can be the
name of any file placed into any directory which fcheck is instructed to
check.

If one goes to a directory checked by fcheck and issues:

echo "test" >exploit\'\;\`touch\ blah\`\'

as written (this was tested on linux running bash), then runs fcheck, you
will find that the file named blah has been created because the command
'touch blah' contained in the filename created above was executed.  (Using
the echo, rather than just touch'ing the file is needed because fcheck
doesn't run the signatures on zero length files.)

So if this run by root, but checks files/directories writable by other than
root, using the -s switch or checking files which cause the external
$Filefunc command to be used, a problem exists.

The workaround, implmented in good version(s), is to do the following:

     else

therefore the interpretation of the metacharacters.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC