Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Security)  >   InoculateIT Vendors:   CA
CA eTrust InoculateIT Default Linux Permissions May Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1008993
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 10 2004
Impact:   Denial of service via local system, Modification of system information, Modification of user information, User access via local system
Exploit Included:  Yes  
Version(s): 6.0
Description:   A vulnerability was reported in CA's eTrust InoculateIT anti-virus software for Linux. A local user may be able to gain elevated privileges on the target system.

l0om from reported several flaws due to the file permissions on the Linux-based installation.

It is reported that some scripts use temporary files in an unsafe manner. A local user can create a symbolic link (symlink) from a critical file on the system to a temporary file to be used by the application. Then, when the affected application component runs, the symlinked file may be overwritten with the privileges of the application component.

The 'ino/scripts/inoregupdate', 'scripts/uniftest', and 'scripts/unimove' files manipulate temporary files in a world writable temporary directory, the report said.

It is also reported that some directories in the 'tmp' directory do not have the stick bit set, allowing a local user to overwrite some critical files contained in those directories. The '.file', '.nob_event', '.nob_mutex', '.nob_sem', '.sem', and '.shm' directories are affected, according to the report.

It is also reported that the 'registry' directory is world-writable. In some cases, a local user may be able to change potentially sensitive values in the registry. For example, a local user can modify the 'registry/hkey_current_user/software/computerassociates/inoculateit/6.0/local_scanner/specified_list' key to change the file extensions that the anti-virus software will check.

Impact:   A local user may be able to overwrite critical files on the system to change the operation of the product or potentially gain elevated privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any)

Message History:   None.

 Source Message Contents

Subject:  [local problems] eTrust Virus Protection 6.0 InoculateIT for linux

author: l0om  <> 
software: eTrust Virus Protection 6.0 InoculateIT for 
local phun with etrust antivirus 6.0 inoculateIT 
eTrust InnoculateIT 6.0 comes for the following OSes: 
-windows 95/98/ME 
-windows nt 4.0/2000 
-novell netware 3.x 4.x 5.x 
-lotus notes/domino 
-mircosoft exchange server 
-and finally linux (SuSE, RedHat, Caldera, Turbo 
eTrust is a antivirus program which can scan nearly 
every fileformat 
for viruses. i have installed the version for linux 
on my SuSE 9.0 system 
and noticed the following security flaws: 
1) possible symlink attacks in some scripts 
  by the way- the env variable $CAIGLBL0000 can be /
usr/local/eTrust/ for example. 
  however - the $CAIGLGL0000/tmp IS world writable... 
$NETSTAT -i 2>/dev/null | grep -v localhost > $tfn 
    $CAIGLBL0000/bin/unips > $local/unips.$$ 
    awk -f $local1/uniftest.awk $local/unips.$$ 
    rm $local/unips.$$ 
           sed -e "s!$from!$to!g" $fn > /
tmp/.unimove.sed #<-- creats it now 
           diff $fn /tmp/.unimove.sed > /dev/null 
           if [ $? != 0 -a -s /tmp/.unimove.sed ]; 
                mv /tmp/.unimove.sed  $fn 
           rm /tmp/.unimove.sed    # dels it if 
2) some directorys in /tmp dont have the sticky bit 
an example: 
eTrustAE.lnx/tmp/.caipcs/ # ls -l 
drwxrwxrwx    8 root     root          240 2004-02-05 
09:58 . 
drwxrwxrwx    4 root     root          160 2004-02-09 
16:53 .. 
drwxrwxrwx    2 root     root           48 2004-02-05 
09:54 .file 
-rw-r--r--    1 root     root         4110 2004-02-05 
09:58 ipcrm.log 
drwxrwxrwx    2 root     root          856 2004-02-05 
10:48 .nob_event 
drwxrwxrwx    2 root     root         1168 2004-02-05 
10:48 .nob_mutex 
drwxrwxrwx    2 root     root           48 2004-02-05 
09:54 .nob_sem 
drwxrwxrwx    2 root     root          384 2004-02-05 
10:48 .sem 
drwxrwxrwx    2 root     root           80 2004-02-05 
10:48 .shm 
eTrustAE.lnx/tmp/.caipcs # ls -l .sem 
drwxrwxrwx    2 root     root          384 2004-02-05 
10:48 . 
drwxrwxrwx    8 root     root          240 2004-02-05 
09:58 .. 
-rw-------    1 root     root           20 2004-02-05 
10:01 3571729 
-rw-------    1 root     root            5 2004-02-05 
09:58 3702805 
-rw-------    1 root     root           25 2004-02-05 
10:01 3735574 
-rw-------    1 root     root           25 2004-02-05 
10:01 3768343 
-rw-------    1 root     root           15 2004-02-05 
09:58 3801112 
this directory includes values which are kinda 
sensetive. so only root can 
read or write them as we can see at this 
but as the upper directory /.sem has no sticky bit 
set and is world writeable. 
we can simple overwrite these files as the directory 
permissions are of a 
higher priority as the file permissions. this is the 
truth for a handful of 
for example: 
badass~:> phun() 
for i in `ls /usr/local/eTrustAE.lnx/
tmp/.caipcs/.sem`; do 
cp -f ~/myblankass.ascii /usr/local/eTrustAE.lnx/
echo jupp 
badass~:> phun 
3) world writeable 
with the linux version of etrust there come some 
directroys which we all know- the 
"registry". it seems like the whole registry key is 
world writeable: 
>find ./ -type f -perm -2 -print 
they got the sticky bit set, therefore we cannot 
overwrite or delte them, but sometimes we can 
change sensetive values in the registry. for example: 
cat ./registry/hkey_current_user/software/
this key contains a list of fileends which specifies 
what files should be scaned for a virus. 
a normal user can simply delte all values except one 
from this list, and can make the scanner pretty 
furthermore there are worldwritable keys like 
"windows/currentversion", with keys which include the 
path to 
the normal binarys ("/usr/bin"). it may be possible 
to execute whatever you want on a reboot if you 
the right keys in the right way. 
have phun! 
	feel phree! 
		life phat! 
YaCP - (Y)ast (a)nother (C)yber(P)unk 


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC