Bugtraq mailing list archives

Re: ISS install.iss security hole


From: pjb1008 () CAM AC UK (Peter Benie)
Date: Mon, 22 Feb 1999 18:10:54 +0000


Fyodor writes ("ISS install.iss security hole"):
  # Only root can pass the next four operations.
  # Yes it's ugly - BUT IT WORKS!
  touch /tmp/.root.$$ >> /dev/null 2>&1
  chmod 600 /tmp/.root.$$ >> /dev/null 2>&1

Obviously this is vulnerable to the standard tmp-symlink problem.  And
they don't even look for the file first, so there is no need to worry
about exploiting race conditions -- just stick the 65K symlinks in /tmp
and wait for root to install ISS (you might have to wait a while ;). I've
tested that you can chmod whatever file you want to 600.  This could make
for an easy DOS, but off the top of my head I don't see much more exploit
potential.

There is a second problem, but it's not as obvious.

The 'touch' program first calls stat() to check if the file exists.
If it does, it calls utime() to update the timestamps; if it doesn't,
it calls fopen(filename, "w"). fopen will call creat() (or equivalent),
truncating the named file.

If you can predict the filename given to 'touch' (hard in this case,
but definately possible with other scripts), you can create a symlink
between the stat() and the creat() system calls and truncate any file
on the system.

(Not bad - two security holes in two lines...)

Peter Benie



Current thread: