[SRT2001-10] - scoadmin /tmp issues

Type securityvulns
Reporter Securityvulns
Modified 2001-05-24T00:00:00


====================================================================== Strategic Reconnaissance Team Security Advisory(SRT2001-10) Topic: scoadmin /tmp issues Vendor: Santa Cruz Operations Release Date: 05/07/01 ====================================================================== .: Description scoadmin makes poor use of /tmp. File names are very predictable

.: Impact As a user: ln -s /etc/passwd /tmp/tclerror.1195.log Wait for root to run scoadmin from xwindows and viola! When he does, he will clobber /etc/passwd with a garbage file.

In order to get the /tmp/tclerror.pid.log you need for root to have an improper term or cause some other error to happen. A good way to force an error is to stop xm_vtcld from opening... kindly leave a file where it wants its socket and it will complain.

As a normal user: touch /tmp/5111_342.0 When root goes to run sco admin he will get an error and clobber his passwd file due to the ln -s on the tclerror.PID.log you left for him.

.: Workaround Don't use scoadmin.

.: Systems Affected Unixware 5.x

.: Proof of Concept ln -s /etc/passwd /tmp/tclerror.1195.log

.: Vendor Status A copy of this advisory was mailed to their attention

.: Credit Kevin Finisterre dotslash@snosoft.com


====================================================================== ©Copyright 2001 Secure Network Operations , Inc. All Rights Reserved. Strategic Reconnaissance Team | recon@snosoft.com http://recon.snosoft.com | http://www.snosoft.com