SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Tarantella Vendors:   Tarantella, Inc.
Tarantella Enterprise Server '/tmp/spinning' Symlink Hole Lets Local Users Obtain Root Access When the Software is Installed
SecurityTracker Alert ID:  1003607
SecurityTracker URL:  http://securitytracker.com/id/1003607
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 20 2002
Impact:   Modification of system information, Root access via local system
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3
Description:   Another temporary file installation vulnerability was reported in the Tarantella Enterprise application server. A local user could obtain root access during installation.

During installation, the server reportedly creates a temporary file with a predictable name ('/tmp/spinning') with global read and write permissions. The file is reportedly removed and recreated several times during installation.

A local user can create a symbolic link from the temporary file name to another critical file on the system, such as is shown below:

ln -s /etc/passwd /tmp/spinning

Then, after a root user is done installing Tarantella, the linked file will be left with global read and write privileges, allowing any local user to modify the file and obtain root privileges on the system.

Impact:   A local user can obtain root access on the system when Tarantella is installed.
Solution:   No solution was available at the time of this entry. However, the vendor reportedly plans to fix this in the next release.

The author of the report recommends running the target system in single user mode before this software is installed.

Vendor URL:  www.tarantella.com/products/e3/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Open UNIX-SCO), UNIX (Solaris - SunOS), UNIX (Tru64)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Issues Workaround) Re: Tarantella Enterprise Server '/tmp/spinning' Symlink Hole Lets Local Users Obtain Root Access When the Software is Installed
The vendor has described a temporary workaround.
(Vendor Plans Fix for New Versions) Re: Tarantella Enterprise Server '/tmp/spinning' Symlink Hole Lets Local Users Obtain Root Access When the Software is Installed
The vendor plans to fix the issue in new releases.



 Source Message Contents

Subject:  Another local root vulnerability during installation of Tarantella


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

			Larry W. Cashdollar
			    Vapid Labs
		            2/18/2002


Another local root vulnerability during installation of Tarantella
Enterprise 3.


During installation a "twirling / \ | - " text graphic is displayed (you
remember them from the shareware games in DOS days..)  they create a file
in /tmp called spinning to determine at what state the installation is at.
The files permissions are changed toread write excute for all, removed and
recreated during different stages of the installation.  It is vulnerabile to
a simple symlink attack.

Problem Code:
<----snip---->
touch /tmp/spinning >/dev/null 2>&1
chmod 777 /tmp/spinning >/dev/null 2>&1
<----snip---->

Exploit:
There is no race condition here, just create the link.

[lwc@misery] ln -s /etc/passwd  /tmp/spinning

Wait until root is done installing...

[lwc@misery] ls -l /etc/passwd
- -rwxrwxrwx    1 root     root         1094 Feb 18 22:39 /etc/passwd


Recommendations:
I again recommend the target system is running in single user mode before this
software is installed.


The vendor has been notified and plans to fix this in the next release.



http://vapid.dhs.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8clFP1hSQ6Gxh/KoRAtQWAKCOod+43+rYbvc0pmw2ZnPZ5pDsqwCcD18m
w80GBUP5ejW31415uXSVmGg=
=U3gs
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC