Bugtraq mailing list archives
ISS install.iss security hole
From: fyodor () DHP COM (Fyodor)
Date: Sat, 20 Feb 1999 20:59:23 -0500
Today I downloade the latest trial version of Internet Security Scanner for Linux (version 5.3). The install program (shell script) requires that you be root, even if you want to install ISS in your home directory. I decided to edit the script to comment out the root-check, and was rather shocked when I saw what they are doing in install.iss: # Only root can pass the next four operations. # Yes it's ugly - BUT IT WORKS! touch /tmp/.root.$$ >> /dev/null 2>&1 chmod 600 /tmp/.root.$$ >> /dev/null 2>&1 Obviously this is vulnerable to the standard tmp-symlink problem. And they don't even look for the file first, so there is no need to worry about exploiting race conditions -- just stick the 65K symlinks in /tmp and wait for root to install ISS (you might have to wait a while ;). I've tested that you can chmod whatever file you want to 600. This could make for an easy DOS, but off the top of my head I don't see much more exploit potential. While this is probably not going to be exploited much (if ever), it really concerns me that kindergarden-level security holes are still present in current mass market **security** software. Remember that ISS chooses not to offer us (or even paying customers!) the source code for their scanner. So we have to trust ISS programmers are highly competent and aware of secure coding issues. When I find problems like the one above without even looking for them, I have to wonder whether this trust is misplaced. Cheers, Fyodor PS (shameless plug): Version 2.08 of the nmap security scanner is available free, with source code, at http://www.insecure.org/nmap/ -- Fyodor 'finger pgp () www insecure org | pgp -fka' "Girls are different from hacking. You can't just brute force them if all else fails." --SKiMo, quoted in _Underground_ (good book)
Current thread:
- Summary: Copyright on Security advisories, (continued)
- Summary: Copyright on Security advisories Aviram Jenik (Feb 22)
- Re: Process table attack (from RISKS Digest) Dug Song (Feb 22)
- NetBus client 1.x overflow Daniel Rosowski (Feb 22)
- Re: Process table attack (from RISKS Digest) James Lockwood (Feb 22)
- Re: Process table attack (from RISKS Digest) Dirk Moerenhout (Feb 22)
- Re: Process table attack (from RISKS Digest) unknown () RIVERSTYX NET (Feb 22)
- Re: Process table attack (from RISKS Digest) Andrew Hobgood (Feb 22)
- Denial of service process table attacks John Conover (Feb 23)
- Group kmem exploitable? Oliver Xymoron (Feb 23)
- Re: Pro/wuFTPD DoS Alex Belits (Feb 21)
- ISS install.iss security hole Fyodor (Feb 20)
- Re: ISS install.iss security hole Joel Eriksson (Feb 22)
- Preventing remote OS detection Patrick Gilbert (Feb 22)
- Re: Preventing remote OS detection James Lockwood (Feb 22)
- Re: Preventing remote OS detection route () RESENTMENT INFONEXUS COM (Feb 22)
- Re: Preventing remote OS detection Salvatore Sanfilippo (Feb 23)
- Re: ISS install.iss security hole Peter Benie (Feb 22)
- Re: ISS install.iss security hole Michael Warfield (Feb 22)
- BlackHats Advisory -- InterScan VirusWall The Unicorn (Feb 22)
- Microsoft Security Bulletin (MS99-007) aleph1 () UNDERGROUND ORG (Feb 22)