From lwc@vapid.ath.cx Mon Dec 16 16:40:11 2002 Date: Thu, 5 Dec 2002 18:05:28 -0500 (EST) From: Larry W. Cashdollar To: kf@snosoft.com Subject: Temporary file race conditions with InstallAnywhere 5. Here is what I will be sending out in another few days. Vapid Labs Security Note Summary: InstallAnywhere is a software framework that simplifies software installation on multiple client and server platforms. This software is utilized by such vendors like LimeWire www.limewire.org. During execution this software insecurely creates two file in /tmp that can be used to clobber system files through symlink attacks. During the creation of one file a race condition exists to determine the filename the other requires no guesswork. Vendor: http://www.zerog.com Notified: 11/30/2002 Problem: I noticed InstallAnywhere creates the following files in /tmp: persistent_state env.properties.NNNNN Where NNNNN is the current process id or ($$) These files can be used to clobber system files if the installation software is run as root. A malicious attacker can create a symlink in /tmp to point to a critical system file. This system file will be over written with the contents of the temporary file. For example [nobody $] ln -s /etc/passwd /tmp/persistent_state Then if root runs software utilizing the InstallAnywhere software (in my case it was LimeWire) the contents of /etc/passwd will be overwritten with the contents of persistent_state. The env.properties.NNNNN file appears to be created during the execution of InstallerData/makeExecutable/laxunix.sh The persistent_state file might be created during the execution of ./InstallerData/com/zerog/registry/UUID.class I dont have the java experience or tools to investigate this. Fix: This isn't a horrible security hole but it could be easily fixed by creating a subdirectory to work from under /tmp and chown/chmoding it down to very restrictive permissions. -- Larry Cashdollar http://vapid.dhs.org