Bugtraq mailing list archives
Possible race condition in Symantec AntiVirus Scan Engine for Red Hat Linux during LiveUpdate
From: "Dr. Peter Bieringer" <pbieringer () aerasec de>
Date: Mon, 16 Feb 2004 16:49:53 +0100
Hi,during evaluation of Symantec AntiVirus Scan Engine for Red Hat Linux (file: Scan_Engine_430-RedHat-1.zip) we found a race condition using default configuration.
Like written in "Implementation_Guide.pdf" on page 134 LiveUpdate can be triggered by cron via a shell script:
# /opt/SYMCScan/bin/liveupdate.sh -virusdefs or # /bin/sh /opt/SYMCScan/bin/liveupdate.sh -virusdefs This will create a log file in /tmp with a very predictable name: "/tmp/LiveUpdate.log" (with permissions of 644) # ll /tmp/ -rw-r--r-- 1 symantec avdefs 4517 Feb 16 15:05 LiveUpdate.log This is defined in the config file "liveupdate.conf": # cat /etc/liveupdate.conf protocol=http host=liveupdate.symantec.com workdir=/tmp logfile=/tmp/LiveUpdate.log <---!!!!!! Impact:Before first run of LiveUpdate (like suggested in doc, user "symantec" does this) a possible race condition via a symlink attack by another user will result in the creation of a new file (as user "symantec") or appending LiveUpdate log to an existent file (owned by user "symantec").
Additional *important* note:Because the PDF document doesn't match the as-it-is of the installation (an user "symantec" can't execute liveupdate.sh" without adjusting the permissions of the shell script and the directory "virusdefs") it's very possible, that admins configure the crontab entry for "liveupdate.sh" as user "root"!
# ll /opt/SYMCScan/bin/liveupdate.sh-rwxr-x--- 1 root root 14700 Feb 16 16:16 /opt/SYMCScan/bin/liveupdate.sh
# ll /opt/SYMCScan |grep virusdefs drwxr-xr-x 2 root root 4096 Feb 16 16:16 virusdefs BTW: The installer uses PID for tmp directory naming, another minor issue... # ll /tmp/ drwxr-xr-x 2 root root 4096 Feb 16 15:47 symcinst9918 # ps -ax | grep 9918 9918 pts/0 S 0:02 sh ./ScanEngine.sh -> fix to a unpredictable name BTW2: looks like a temp directory during install has always the same name. # ll /tmp/ drwx------ 2 root root 4096 Feb 16 16:16 savsetmp -> fix to a unpredictable name BTW3: temporary directory during LiveUpdate run has permissions 755 # ll /tmp/ drwxr-xr-x 2 root root 4096 Feb 16 16:37 1076967476267-> fix permissions to at least 750, perhaps it's also not the best method to use Unix time in milliseconds to name this directory.
Suggestions/workarounds:
* for the software vendor:
use a better default value, e.g.
logfile=/var/log/LiveUpdate.log
Fix permissions of log file to at least 640
Fix PDF document or/and permissions for
liveupdate.sh and directory virusdefs
(and on RHL systems: "/usr/bin/sh" doesn't exist, fix to "/bin/sh")
Fix predictable directory names during installation
Fix permissions of temp directory during LiveUpdate run to at least 750
Fix name of temp directory to a more unpredictable one
* for administrators:
adjust config file before first run of the LiveUpdate process
adjust permissions of
liveupdate.sh and directory virusdefs
and run liveupdate.sh as non-root user
Regards,
Dr. Peter Bieringer
--
Dr. Peter Bieringer Phone: +49-8102-895190
AERAsec Network Services and Security GmbH Fax: +49-8102-895199
Wagenberger Straße 1 Mobile: +49-174-9015046
D-85662 Hohenbrunn E-Mail: pbieringer () aerasec de
Germany Internet: http://www.aerasec.de
Current thread:
- Possible race condition in Symantec AntiVirus Scan Engine for Red Hat Linux during LiveUpdate Dr. Peter Bieringer (Feb 16)