SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Tarantella Vendors:   Tarantella, Inc.
(Vendor Issues Workaround) Re: Tarantella Enterprise Server '/tmp/spinning' Symlink Hole Lets Local Users Obtain Root Access When the Software is Installed
SecurityTracker Alert ID:  1003745
SecurityTracker URL:  http://securitytracker.com/id/1003745
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 5 2002
Impact:   Modification of system information, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3
Description:   Another temporary file installation vulnerability was reported in the Tarantella Enterprise application server. A local user could obtain root access during installation.

During installation, the server reportedly creates a temporary file with a predictable name ('/tmp/spinning') with global read and write permissions. The file is reportedly removed and recreated several times during installation.

A local user can create a symbolic link from the temporary file name to another critical file on the system, such as is shown below:

ln -s /etc/passwd /tmp/spinning

Then, after a root user is done installing Tarantella, the linked file will be left with global read and write privileges, allowing any local user to modify the file and obtain root privileges on the system.

Impact:   A local user can obtain root access on the system when Tarantella is installed.
Solution:   The vendor has described the following workaround:

1.Use a separate, dedicated host for Tarantella Enterprise 3 software.
2.Make sure that only trusted users have access to this host - before, during and after installation.
3.Ensure that no temporary files are present before starting installation.

This vulnerability will be removed from future releases of Tarantella Enterprise 3 software.

The vendor has provided some procedures to attempt to determine if a system has been compromised (see the Source Message).

Vendor URL:  www.tarantella.com/security/bulletin-04.html (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Open UNIX-SCO), UNIX (Solaris - SunOS), UNIX (Tru64)

Message History:   This archive entry is a follow-up to the message listed below.
Feb 20 2002 Tarantella Enterprise Server '/tmp/spinning' Symlink Hole Lets Local Users Obtain Root Access When the Software is Installed



 Source Message Contents

Subject:  Tarantella Security Bulletin #04


Tarantella Security Bulletin #04

Incorrect file permissions during installation may allow a user to gain
root privileges

Originally posted: March 5, 2002 
Last updated: March 5, 2002 

Summary

Affected products

Tarantella Enterprise 3, version 3.2x on all operating systems. 
Tarantella Enterprise 3, version 3.1x on all operating systems. 
Tarantella Enterprise 3, version 3.0x on all operating systems. 

Problem

The permissions of some temporary files used during installation are
incorrect. 

Impact

If a user has access to a host before or during the installation of
Tarantella Enterprise 3 software on that host, it is possible for that
user to gain root privileges on that host. 

Solution

We recommend: 

1.Use a separate, dedicated host for Tarantella Enterprise 3 software. 
2.Make sure that only trusted users have access to this host - before,
during and after installation. 
3.Ensure that no temporary files are present before starting
installation. 

This vulnerability will be removed from future releases of Tarantella
Enterprise 3 software. 


Technical details

The affected products contain a vulnerability that allows a sufficiently
knowledgeable user to gain root privileges. 

The vulnerability concerns the installation process, which must be run
as root, and which makes use of temporary files while extracting and
installing the software. Some of these files are created with
inappropriate file permissions. 

A malicious user must know in advance that another user plans to install
Tarantella Enterprise 3 software on the host. The user must also know
details of the installation process: in particular, which temporary
files are used. By exploiting the incorrect file permissions the user
may obtain root privileges. 

Checking for vulnerable installations

An installation is vulnerable if the following is true: 

1.The installation is Tarantella Enterprise 3 version 3.0x, 3.1x or 3.2x
on any operating system. 

To check the version of your installation

1.Log in to the UNIX host on which the Tarantella Enterprise 3 software
is installed. 
2.Type the following (replacing /opt/tarantella with the name of your
installation directory, if different): 

  /opt/tarantella/bin/tarantella version

3.This displays the version numbers of all installed components. Check
the version number for the main component (shown as "Tarantella
Enterprise 3 for operating system"). If this begins 3.2, 3.1 or 3.0,
then the installation is vulnerable.  In all other cases the
installation is not vulnerable. 


Detecting possible attacks

To check whether someone has tried to exploit the vulnerability: 

1.Check for the existence of unexpected temporary files before
installation of Tarantella Enterprise 3 software. 
2.Use your system logging tools to check for unauthorized access, for
example unexpected access by the root user. 

Impact

The vulnerability allows a malicious user to gain root privileges for
the host on which Tarantella Enterprise 3 software is installed. 

Solution

No patch is available to remove this vulnerability. 

We recommend: 

1.Use a separate, dedicated host for Tarantella Enterprise 3 software. 
2.Make sure that only trusted users have access to this host - before,
during and after installation. 
3.Ensure that no temporary files are present before starting
installation. 

This vulnerability will be removed from future releases of Tarantella
Enterprise 3 software. 

Acknowledgments

We would like to thank the following people for reporting this
vulnerability: 

Larry W. Cashdollar <lwc@vapid.dhs.org> 

Contact details

To report a suspected vulnerability in a Tarantella product, email
security@tarantella.com with full details. 

For general support information, see the Tarantella Support web site. 

About this bulletin

URL: http://www.tarantella.com/security/bulletin-04.html 
Internal reference: FZ601873 
Revision history: 
     1.1 (March 5, 2002): Bulletin created.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC