Date: 16 Sep 2005 09:01:19 -0000
From: [email protected]
To: [email protected]Subject: worring about YaST in SuSE 9.3 and maybe lower
X-Virus-Scanned: antivirus-gw at tyumen.ru
author: l0om
email: email:l0om | a7 | excluded d07 org
page: www.excluded.org
worring about YaST in SuSE 9.3 and maybe lower
iam wondering about the installation routine from SuSE linux 9.3 and maybe some lower verisons.
YaST is creating a directory named "/var/adm/YaST/InstSrcManager/IS_CACHE_0x0000000X/DATA/descr" which is worldwritable by default. the directory contains data like packagenames and pathnames needed for YaST if you install software. for normal this directory shouldnt be writable by everyone because if you change the install media a new "IS_CACHE_0x0000000X/DATA/descr" is created which isnt worldwritable.
so you may be able to poising the data which is viewd by root while he is trying to install data. the following data may be changed for example (file "packages"):
##----------------------------------------
=Pkg: 3ddiag 0.724 3 i586
+Req:
/bin/sh
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(CompressedFileNames) <= 3.0.4-1
/bin/sh
libc.so.6
libc.so.6(GLIBC_2.0)
libhd.so.10
libsysfs.so.1
rpmlib(PayloadIsBzip2) <= 3.0.5-1
-Req:
+Prq:
/bin/sh
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(PayloadIsBzip2) <= 3.0.5-1
-Prq:
+Prv:
3ddiag = 0.724-3
-Prv:
=Grp: System/Base
=Lic: GPL
=Src: 3ddiag 0.724 3 src
=Tim: 1111489970
=Loc: 1 3ddiag-0.724-3.i586.rpm
=Siz: 28015 46735
+Aut:
Stefan Dirsch <sndirsch@suse.de.>
-Aut:
##----------------------------------------
thats the information for one package.
change the rpms path to somethin like "../../../" isnt possible cause its filterd.
for sure you can simply prevent the admin installing new software with YaST if you destroy the "packages" file but i have noted somethin else too.
if you change the "=Loc" parameter e.g. to the following:
=Loc: 1 AAAAAAAA["A"x515]AAA3ddiag-0.724-3.i586.rpm
and the administrator is trying to install the package it will end in a Segmentation Fault that may be exploitable for an attacker.
---
root:~# yast
[trys to install some stuff]
sbin/yast: line 207: 8447 Speicherzugriffsfehler (core dumped) $ybindir/y2base menu ncurses
badass@linux:~> gdb /usr/lib/YaST2/bin/y2base core.8447 -q
[...]
Reading symbols from /usr/lib/libncursesw.so.5...done.
Loaded symbols for /usr/lib/libncursesw.so.5
Reading symbols from /usr/lib/libpanelw.so.5...done.
Loaded symbols for /usr/lib/libpanelw.so.5
Reading symbols from /usr/lib/YaST2/plugin/libpy2ag_system.so.2...done.
Loaded symbols for /usr/lib/YaST2/plugin/libpy2ag_system.so.2
Reading symbols from /usr/lib/YaST2/plugin/libpy2ag_ini.so.2...done.
Loaded symbols for /usr/lib/YaST2/plugin/libpy2ag_ini.so.2
Reading symbols from /usr/lib/YaST2/plugin/libpy2Pkg.so.2...done.
Loaded symbols for /usr/lib/YaST2/plugin/libpy2Pkg.so.2
Reading symbols from /usr/lib/YaST2/plugin/libpy2ag_xml.so.2...done.
Loaded symbols for /usr/lib/YaST2/plugin/libpy2ag_xml.so.2
Reading symbols from /usr/lib/libxml2.so.2...done.
Loaded symbols for /usr/lib/libxml2.so.2
Reading symbols from /usr/lib/YaST2/plugin/libpy2ag_hwprobe.so.2...done.
Loaded symbols for /usr/lib/YaST2/plugin/libpy2ag_hwprobe.so.2
Reading symbols from /lib/libhd.so.10...done.
Loaded symbols for /lib/libhd.so.10
Reading symbols from /lib/libsysfs.so.1...done.
Loaded symbols for /lib/libsysfs.so.1
Reading symbols from /usr/lib/libiw.so.28...done.
Loaded symbols for /usr/lib/libiw.so.28
#0 0xffffe410 in ?? ()
(gdb) i r
eax 0x1 1
ecx 0x4010d9e9 1074846185
edx 0x1 1
ebx 0x7 7
esp 0x4127c3a4 0x4127c3a4
ebp 0x4127c3d8 0x4127c3d8
esi 0x80ef104 135196932
edi 0x80ef0d8 135196888
eip 0xffffe410 0xffffe410
eflags 0x293 659
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
-----
as there is no need to have the directory worldwritable it should be chmoded to somethin different.