Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: Re: Security problem in Slackware.

Re: Security problem in Slackware.

From: Peter van Dijk <peter_at_attic.vuurwerk.nl>
Date: Fri, 13 Mar 1998 16:34:58 +0100

On Wed, 11 Mar 1998, Suman_Saraf wrote:

> Hi,
>
> I just found out that the setup program in slackware creates a file called
> hdtest in /tmp without checking for its existence.
>
> So a malicious user could just create a symlink to any root owned file and
> it will get fucked up when the administrator runs setup.
>
> In my case I just created a symlink to /etc/passwd and when I exit the
> setup the file contains only "EXIT" :-)
>
> Lemme know if something has been done about it already.
I have Slackware 3.4 (the newest) and I've been following the ChangeLog on
ftp.cdrom.com. It only lists a fix for a bug I submitted (imapd/ipop3d
coredump).

[root_at_koek] /tmp# nd test
[root_at_koek] /tmp/test# echo "root owns this file" > rootfile
[root_at_koek] /tmp/test# cat rootfile
root owns this file
[root_at_koek] /tmp/test# ls -al rootfile
-rw-r--r-- 1 root root 20 Mar 13 16:21 rootfile

[peter_at_koek] /tmp$ ln -sf test/rootfile hdset

[root_at_koek] /tmp/test# setup

[peter_at_koek] /tmp$ ls -al test/rootfile
-rw-r--r-- 1 root root 4 Mar 13 16:23 test/rootfile
[peter_at_koek] /tmp$ cat test/rootfile
EXIT[peter_at_koek] /tmp$

So, it does still work.
Another thing that might be interesting are the /tmp/SeT* files.
setup creates them while running (starting with rm -f /tmp/Set*). But
while setup is running you should be able to create some symlinks, like
some kind of race. Only this time, you're racing a human ;)

Another file that can be exploited is /tmp/slackdir, which records which
directory should be the root of the slackware filesystem. Very unlikely to
be used, but worth noting.

pkgtool does things like this in:
/tmp/{reply,viewscr,return,tmpmsg,rmscript,wdrive,sets,pkgdir,mntans,tagfile,
      skip}
and all kinds of /tmp/SeT* (which it cleans up when starting, like setup
does).

The best fix for this would be to let all these programs use their own
tmp-dir, because they're going to be run as root anyway.

Greetz, Peter.

------------------------------------------------------------------------------
 'Selfishness and separation have led me to . Peter 'Hardbeat' van Dijk
  to believe that the world is not my problem . network security consultant
  I am the world. And you are the world.' . (yeah, right...)
          Live - 10.000 years (peace is now) . peter_at_attic.vuurwerk.nl
------------------------------------------------------------------------------
  4:19pm up 18:48, 4 users, load average: 0.00, 0.02, 0.00
------------------------------------------------------------------------------
Received on Mar 15 1998

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos