SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   CONTROL-M Vendors:   BMC Software
BMC CONTROL-M Unsafe Temporary Files May Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1015096
SecurityTracker URL:  http://securitytracker.com/id/1015096
CVE Reference:   CVE-2005-3311   (Links to External Site)
Updated:  Nov 2 2008
Original Entry Date:  Oct 24 2005
Impact:   Modification of system information, Modification of user information, Root access via local system, User access via local system
Vendor Confirmed:  Yes  
Version(s): 6.1.03; possibly other versions
Description:   A vulnerability was reported in BMC's CONTROL-M. A local user may be able to gain elevated privileges on the target system.

The software creates temporary files in an unsafe manner in the '/tmp' directory. The '/tmp/ctm' directory is created when the first scheduled job is run following a system reboot.

A local user may be able to create the temporary directory or files in that directory prior to the time when CONTROL-M attempts to create the directory. This may allow the local user to create a symbolic link (symlink) from a critical file on the system to a temporary file to be used by CONTROL-M. Then, when the temporary file is written by CONTROL-M, the symlinked file may be created or overwritten with the privileges of the CONTROL-M process.

The vendor has been notified.

Scott Cromar reported this vulnerability.

Impact:   A local user may be able to create or overwrite files with the privileges of the CONTROL-M process.
Solution:   No solution was available at the time of this entry. The vendor plans to issue a fix in a future release.
Vendor URL:  www.bmc.com/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  UNIX (Any)
Underlying OS Comments:  Tested on Solaris

Message History:   None.


 Source Message Contents

Subject:  Insecure Temporary Files in BMC/Control-M Agent

BMC's Control M is an enterprise scheduling facility. 
Unfortunately, 
the agent software suffers from a problem with
insecure temporary file 
creation.  We noticed the problem on Solaris systems
running the version 
6.1.03 with current patches; it is reasonable to
assume that other OS 
platforms and versions are also affected.
 
The scripts to be run by a Control M job are stored in
temporary files 
with names like:
/tmp/ctm/CMD.10637  
 
The contents appear to be the contents of a job as
created by a Control 
M user.
 
The /tmp/ctm directory is created during the first
scheduled job that 
is run following a reboot.  Normally it is created
with root ownership 
and 755 permissions.  Depending on how frequently jobs
are run on a 
particular client, this may leave a significant window
of opportunity for 
some nefarious soul to create this directory with
other permissions or 
to create appropriately (or inappropriately) named
links.
 
It is left as an exercise to the reader to identify
ways in which to 
screw the system to the ground.
 
One less than ideal work-around would be to create the
/tmp/ctm 
directory before sshd, inetd or cron start up--say at
/etc/rc2.d/S68 in the 
boot cycle on Solaris 8.
 
BMC has been notified of this problem and has opened
up problem ticket 
number BMPM010114.  According to BMC Support, a fix
will be 
"implemented in a future release."  Rather than
waiting, I strongly suggest the 
workaround above.
 
Good luck:
--Scott




	
		
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC