ISS Security Advisory: BMC PATROL File Creation Vulnerability

[xforce () ISS NET (X-Force)]

-----BEGIN PGP SIGNED MESSAGE-----


ISS Security Advisory
November 2nd, 1998

BMC PATROL File Creation Vulnerability

Synopsis:

Internet Security Systems (ISS) X-Force has discovered a vulnerability in BMC
Software PATROL(r) Patrol network management software.  PATROL contains a
vulnerability that may allow local attackers to compromise root access.  The
agent creates insecure temporary files that may lead to a symbolic link attack.

Affected Versions:

ISS X-Force has confirmed that this vulnerability exists on version 3.2.3 of
PATROL Agent(tm) software product.  Earlier versions of PATROL Agent are also
vulnerable.

Executing any of the PATROL binaries with the -v flag will report version
information.

Fix Information:

BMC Software has been notified of this vulnerability on August 20, 1998.
Contact BMC Software at http://www.bmc.com to obtain a patch when it is made
available.

Until a patch is available, ISS suggests administrators restrict access to
PATROL Agent.  Administrators are encouraged to create a system administrator
group and to only allow Administrators execute permission on PATROL Agent.
This temporary fix may help contain the vulnerability until a patch is made
available.

Description:

PATROL Agent is installed setuid root with world-execute permissions.  When
PATROL Agent is executed, it creates temporary files on the system.  These
files are opened and written to in an insecure manner.  This allows local users to
create a symbolic link to a privileged file.  This link is then followed upon
the initialization of PATROL Agent.  Attackers may use this vulnerability to
overwrite any file or create a new file that is owned by root.  Attackers
commonly use this method to indirectly compromise root access.

Temporary files that follow symbolic links are a common source of
vulnerabilities in setuid root executables.  Administrators should remove or
restrict access to suid executables if possible.

Developers of setuid programs need to take special precautions to protect
their programs from creating new vulnerabilities on the systems on which
they are installed.  The ISS X-Force recommends that all Unix developers
become familiar with Matt Bishop's secure programming tutorials available at:
http://olympus.cs.ucdavis.edu/~bishop/secprog.html

- ----------

Copyright (c) 1998 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this alert
electronically.  It is not to be edited in any way without express consent
of X-Force.  If you wish to reprint the whole or any part of this alert in
any other medium excluding electronic medium, please e-mail xforce () iss net
for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at
the user's own risk.

X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as
well as on MIT's PGP key server and PGP.com's key server.

X-Force Vulnerability and Threat Database: http://www.iss.net/xforce

Please send suggestions, updates, and comments to:
X-Force <xforce () iss net> of Internet Security Systems, Inc.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBNj4p3TRfJiV99eG9AQHLmAP+L2nuqBsmAo1eDf+udRufntlLs3IBCKil
qWtSP+xkIYk+Qs6ggEF+pTfZCoK8D+8E0wvYWDOlMhKnP4FKND6eML7tvbdc3QQS
DAIRuMLRKgN6lu0gh1pYMlRpGPOl9VhUYsKsYG1fZEYY7VyRVx4oE58HveVDpTTu
zwb7jHLzTEE=
=5nmg
-----END PGP SIGNATURE-----