Advisory #: 59
Title: /tmp Symlink Vulnerability with ZeroG's InstallAnywhere5
Author: Larry W. Cashdollar, @_larry0
Date: 2002-12-20
Download Site:
Vendor Notified: 2002-12-20
Vendor Contact:
Description: InstallAnywhere ( is a software framework that simplifies software installation on multiple client and server platforms. This software is utilized by such vendors like LimeWire ( During execution this software insecurely creates two file in /tmp that can be used to clobber system files through symlink attacks. During the creation of one file a race condition exists to determine the filename the other requires no guesswork.
I noticed InstallAnywhere creates the following files in /tmp: persistent_state Where NNNNN is the current process id or ($$) These files can be used to clobber system files if the installation software is run as root. A malicious attacker can create a symlink in /tmp to point to a critical system file. This system file will be over written with the contents of the temporary file. For example ''[nobody $] ln -s /etc/passwd /tmp/persistent_state'' Then if root runs software utilizing the InstallAnywhere software (in my case it was LimeWire) the contents of /etc/passwd will be overwritten with the contents of persistent_state. The file appears to be created during the execution of InstallerData/makeExecutable/ The persistent_state file might be created during the execution of ./InstallerData/com/zerog/registry/UUID.class A basic check with 'strings' leads me to believe this. Local attackers can exploit this vulnerability to clobber root owned system files, this could possibly lead to a denial of service or system compromise. If software utilizes InstallAnywhere v5.0.6 to perform system installation then you are vulnerable. I tested the enterprise edition that I downloaded from them for a free evaluation.
Exploit Code:
Screen Shots: