4620307 1999-12-28  23:19  /167 rader/ Postmaster
Mottagare: Bugtraq (import) <9065>
Ärende: L0pht Advisory: initscripts-4.48-1 RedHat Linux 6.1
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID:  <Pine.BSO.4.21.9912272208120.8408-100000@0nus.l0pht.com>
Date:         Mon, 27 Dec 1999 22:09:46 -0500
Reply-To: Mudge <mudge@L0PHT.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Mudge <mudge@L0PHT.COM>
X-To:         bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM

                           L0pht Security Advisory

                         Advisory Released 12.27.1999
                 Application: initscripts-4.48-1 on RedHat Linux
      Severity: A malicious local user can execute arbitrary code as another
                   user who logs in with the csh or tcsh shell
         Status: Problem is believed fixed -- see RHSA-199:052-04

                           Author mudge@l0pht.com
                   http://www.l0pht.com/advisories.html

Overview:

The initscripts package contains, among other things, the default
system shell initialization scripts. These scripts are executed upon
login for users automatically. This advisory adresses a problem with
one of the script's insecure use of temporary files. We describe the
problem, offer a quick solution, and then provide a tool for
demonstration of the attack.

[ Note: We missed the fact that RedHat had fixed this problem but they have :)
    This advisory is being released so that people can see how we approached
    the problem, the tool that was created for proof of concept, and
    ideas on how to avoid these types of problems in scripts. The RedHat
    Advisory is RHSA-1999:052-04 ]


Description:

The system-wide csh.login ( /etc/csh.login ) file tests for the
existance of the /etc/profile.d directory. If the directory exists it
sources each file that exists in the directory that has a '.csh'
suffix. Of these scripts, the lang.csh file tests for the existance
of the /etc/sysconfig/i18n file and, if it exists, creates a shell
script from the file after converting it to csh syntax. This file is
created in the /tmp directory using the process ID as it's extension.

The offending lines of the code are:

    sed 's|=C$|=en_US|g' /etc/sysconfig/i18n | sed "s|=| |g"  \
        | sed "s|^\([^#]\)|setenv \0|g" > /tmp/csh.$$
    source /tmp/csh.$$
    rm -f /tmp/csh.$$

As one can see, predicting the pid and pre-creating a link needs a
few slight tweaks to work here. If the file linked to does not have
the correct restrictive permissions, the redirection of the output
from the sed(1) command will overwrite the file. If this happens the
only chance for attack here is to replace the file between the end of
the sed(1)  line and before the next script command that sources the
target file. This is an extremely small window to race.

If however, the temporary file is pre-created with a link pointing to
a file with restrictive permissions such as 0444 then the destructive
redirection of the output from the sed(1) command will fail. The next
line will source the pre-created file and the line after that will
attempt to remove it.

The only caveat to this is that the user logging in will see an error
message on the attempt to redirect the output into the pre-created
file.  However, experience shows that the majority of users ignore
such messages.

All of the requirements for this attack to work are met in the
default US full install of RedHat 6.1.

Quick solution:

If temporary files must be created in public areas, which is not the
only way to do it here, then proper care must be taken. One possible
solution is to create a subdirectory in the public area and continue
with the needed temporary files residing there. This solution works
when care is taken to check the return value of the mkdir(1) command
and use its atomic nature to ensure that race tricks are not played.

  mkdir --mode=700 /tmp/csh_login.$$
  if ($status != 0) then
    echo "potential problem -- directory /tmp/csh_login.$$ already exists!"
    exit
  endif

  sed 's|=C$|=en_US|g' /etc/sysconfig/i18n | sed "s|=| |g"  | sed "s|^\([^#]\)|setenv \0|g" > /tmp/csh_login.$$/csh.$$
    source /tmp/csh_login.$$/csh.$$
    rm -f /tmp/csh_login.$$/csh.$$
    rmdir /tmp/csh_login.$$

The diff appears as follows:

--- /etc/profile.d/lang.csh     Sun Sep 26 13:49:11 1999
+++ ./lang.csh.modified Sun Dec 26 20:59:25 1999
@@ -3,7 +3,14 @@
 test -f /etc/sysconfig/i18n
 if ($status == 0) then
-    sed 's|=C$|=en_US|g' /etc/sysconfig/i18n | sed "s|=| |g"  | sed "s|^\([^#]\)|setenv \0|g" > /tmp/csh.$$
-    source /tmp/csh.$$
-    rm -f /tmp/csh.$$
+    /bin/mkdir --mode=700 /tmp/csh_login.$$
+    if ($status != 0) then
+      echo "potential problem -- directory /tmp/csh_login.$$ already exists!"
+      exit
+    endif
+
+    sed 's|=C$|=en_US|g' /etc/sysconfig/i18n | sed "s|=| |g"  | sed "s|^\([^#]\)|setenv \0|g" > /tmp/csh_login.$$/csh.$$
+    source /tmp/csh_login.$$/csh.$$
+    rm -f /tmp/csh_login.$$/csh.$$
+    /bin/rmdir /tmp/csh_login.$$

     if ($?SYSFONTACM) then

Exploit:

The exploit tools can be found at the following URL:
                http://www.l0pht.com/advisories/init.tar.gz

The exploit works as follows:

    The script to force the user to execute is specified on the
    command line. If the script is not prepped with the correct
    permissions they are altered. It should be noted that the full
    path and filename should be specified here for the target script.

    The program watches /etc/csh.login for the access time to
    change.

    Upon seeing the a_time change the /proc directory is opened and
    walked looking for processes with the name of (tcsh).

    For each entry it sees, a symbolic link is created to the target
    script suffixed with the tcsh process ID.

    The targeted file is then watched for the a_time to change, which
    would signify execution. Upon seeing this the symbolic links that
    were created in the /tmp directory are removed.

    A sample might be to create a file in /var/tmp such as demo.csh
    which would contain the following:

      touch /tmp/`/usr/bin/whoami`.$$

      And run the program as: ./init_race -f /var/tmp/demo.csh

      The user logging in will see the error message
        /tmp/csh.## : Permission denied.
      Which signifies that we have won the race and a file will
      be created in the /tmp directory with the users name and the
      current pid. Of course, a malicious user could specify more
      nefarious scripts could be used in place of the above benign sample.

cheers,

.mudge

mudge@l0pht.com

  [ For more advisories check out
http://www.l0pht.com/advisories.html ]
(4620307) ------------------------------------------(Ombruten)