(no subject)

Nicolas Dubee (dube0866@EUROBRETAGNE.FR)
Sat, 01 Jan 1994 23:09:09 +0100

plaguez security advisory n. 7

admin-v1.2 vulnerabilities

Program: the admin-v1.2 package, a system administration
tool.

Version: current (v1.2)
older ones.

OS: verified on Linux, maybe others too.

Problem: temporary files / symlinks

Impact: any file on an affected system can be overwritten,
regardless of access permissions.

hello,

this week, I'll focus on a little sysadmin tool
called admin-v1.2 (found on Sunsite: system/Admin/),
and I'll show how several little vulnerabilities
can be exploited to trash any file on an affected
system.

as always, sorry if it's known stuff.

Description:
------------

Several vulnerabilities exist in the admin-v1.2 package,
an interactive system managment tool by Emmett Sauer and
Linux Business Systems.

By exploiting those vulnerabilities, local users can erase
arbitrary files on the system, regardless of access permissions.

admin-v1.2 does not properly handle temporary files. It writes
user menu choices and more to temporary files in the /tmp directory.
These files are named using the syntax /tmp/name.$$, some do
not even use the $$ suffix. Unfortunatly, admin-v1.2 does not
check if these files exist and will follow symlinks. It is then
possible to overwrite any file on the system.

An attacker could for example link any of these temporary files to
/etc/passwd or /.rhosts and wait for the administrator to use
admin-v1.2. The target file would be erased or trashed with
random data. It may also be possible to use admin-v1.2 to gain
root privileges, though I did not manage to do it.

Fix:
----

Remove the admin-v1.2 package.

well, that's it for this week. Next week, next hole ! :)

---------------------------
plaguez
dube0866@eurobretagne.fr
http://plaguez.insomnia.org
---------------------------
_Free_ security probes, Unix programming.

ps.: the above url courtesy of TheFloyd.