Bugtraq mailing list archives
Re: ISS install.iss security hole
From: pjb1008 () CAM AC UK (Peter Benie)
Date: Mon, 22 Feb 1999 18:10:54 +0000
Fyodor writes ("ISS install.iss security hole"):
# Only root can pass the next four operations. # Yes it's ugly - BUT IT WORKS! touch /tmp/.root.$$ >> /dev/null 2>&1 chmod 600 /tmp/.root.$$ >> /dev/null 2>&1 Obviously this is vulnerable to the standard tmp-symlink problem. And they don't even look for the file first, so there is no need to worry about exploiting race conditions -- just stick the 65K symlinks in /tmp and wait for root to install ISS (you might have to wait a while ;). I've tested that you can chmod whatever file you want to 600. This could make for an easy DOS, but off the top of my head I don't see much more exploit potential.
There is a second problem, but it's not as obvious. The 'touch' program first calls stat() to check if the file exists. If it does, it calls utime() to update the timestamps; if it doesn't, it calls fopen(filename, "w"). fopen will call creat() (or equivalent), truncating the named file. If you can predict the filename given to 'touch' (hard in this case, but definately possible with other scripts), you can create a symlink between the stat() and the creat() system calls and truncate any file on the system. (Not bad - two security holes in two lines...) Peter Benie
Current thread:
- Re: Process table attack (from RISKS Digest), (continued)
- Re: Process table attack (from RISKS Digest) Andrew Hobgood (Feb 22)
- Denial of service process table attacks John Conover (Feb 23)
- Group kmem exploitable? Oliver Xymoron (Feb 23)
- Re: Pro/wuFTPD DoS Alex Belits (Feb 21)
- ISS install.iss security hole Fyodor (Feb 20)
- Re: ISS install.iss security hole Joel Eriksson (Feb 22)
- Preventing remote OS detection Patrick Gilbert (Feb 22)
- Re: Preventing remote OS detection James Lockwood (Feb 22)
- Re: Preventing remote OS detection route () RESENTMENT INFONEXUS COM (Feb 22)
- Re: Preventing remote OS detection Salvatore Sanfilippo (Feb 23)
- Re: ISS install.iss security hole Peter Benie (Feb 22)
- Re: ISS install.iss security hole Michael Warfield (Feb 22)
- BlackHats Advisory -- InterScan VirusWall The Unicorn (Feb 22)
- Microsoft Security Bulletin (MS99-007) aleph1 () UNDERGROUND ORG (Feb 22)