Bugtraq mailing list archives

CERT Vendor-Initiated Bulletin VB-97.05 - Vul in Lynx Temporary

From: dube0866 () EUROBRETAGNE FR (Nicolas Dubee)
Date: Sat, 1 Jan 1994 23:09:09 +0100


            plaguez security advisory n. 7

              admin-v1.2 vulnerabilities



Program:  the admin-v1.2 package, a system administration
          tool.

Version:  current (v1.2)
          older ones.

OS:       verified on Linux, maybe others too.

Problem:  temporary files / symlinks

Impact:   any file on an affected system can be overwritten,
          regardless of access permissions.




hello,

this week, I'll focus on a little sysadmin tool
called admin-v1.2 (found on Sunsite: system/Admin/),
and I'll show how several little vulnerabilities
can be exploited to trash any file on an affected
system.

as always, sorry if it's known stuff.

Description:
------------

Several vulnerabilities exist in the admin-v1.2 package,
an interactive system managment tool by Emmett Sauer and
Linux Business Systems.

By exploiting those vulnerabilities, local users can erase
arbitrary files on the system, regardless of access permissions.

admin-v1.2 does not properly handle temporary files. It writes
user menu choices and more to temporary files in the /tmp directory.
These files are named using the syntax /tmp/name.$$, some do
not even use the $$ suffix. Unfortunatly, admin-v1.2 does not
check if these files exist and will follow symlinks. It is then
possible to overwrite any file on the system.

An attacker could for example link any of these temporary files to
/etc/passwd or /.rhosts and wait for the administrator to use
admin-v1.2. The target file would be erased or trashed with
random data. It may also be possible to use admin-v1.2 to gain
root privileges, though I did not manage to do it.


Fix:
----

Remove the admin-v1.2 package.




well, that's it for this week. Next week, next hole ! :)




---------------------------
         plaguez
 dube0866 () eurobretagne fr
http://plaguez.insomnia.org
---------------------------
_Free_ security probes, Unix programming.

ps.: the above url courtesy of TheFloyd.

Current thread:

Vulnerability in Glimpse HTTP Razvan Dragomirescu (Jul 02)
- Re: Vulnerability in Glimpse HTTP Brian Gentry (Jul 02)
  - Re: Vulnerability in Glimpse HTTP Jean-Christophe Touvet (Jul 03)
  - Re: Vulnerability in Glimpse HTTP Paul Phillips (Jul 08)
    - Re: Vulnerability in Glimpse HTTP Oliver Friedrichs (Jul 09)
    - CERT Vendor-Initiated Bulletin VB-97.05 - Vul in Lynx Temporary Nicolas Dubee (Jan 01)
    - Re: Vulnerability in Glimpse HTTP Martin Pool (Jul 10)
    - It's not over yet. Aleph One (Jul 11)
    - It's not over yet. Manley, Jim W (Jul 11)
    - More information about JavaScript bug Dominick Matthias PN OIL 6 (Jul 11)
    - new post SP3 hotfix: lm-fix Alex Libenson (Jul 12)
    - Minor PGP vulnerability Harald Weidner (Jul 15)
    - GetAdmin - Hotfix silent release ? Olivier Gerschel (Jul 16)
    - Re: Minor PGP vulnerability Lucky Green (Jul 16)
    - CERT Advisory CA-97.21 - SGI Buffer Overflow Vulnerabilities Aleph One (Jul 17)
    - slight misinformation in CA-97.21 Dave Kormann (Jul 17)

(Thread continues...)