The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


worring about YaST in SuSE 9.3 and maybe lower


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: 16 Sep 2005 09:01:19 -0000
From: [email protected]
To: [email protected]
Subject: worring about YaST in SuSE 9.3 and maybe lower
X-Virus-Scanned: antivirus-gw at tyumen.ru

author:		l0om 
email: 		email:l0om | a7 | excluded d07 org
page:		www.excluded.org

worring about YaST in SuSE 9.3 and maybe lower

iam wondering about the installation routine from SuSE linux 9.3 and maybe some lower verisons.
YaST is creating a directory named "/var/adm/YaST/InstSrcManager/IS_CACHE_0x0000000X/DATA/descr" which is worldwritable by default. the directory contains data like packagenames and pathnames needed for YaST if you install software. for normal this directory shouldnt be writable by everyone because if you change the install media a new "IS_CACHE_0x0000000X/DATA/descr" is created which isnt worldwritable. 

so you may be able to poising the data which is viewd by root while he is trying to install data. the following data may be changed for example (file "packages"):

##----------------------------------------
=Pkg: 3ddiag 0.724 3 i586
+Req:
/bin/sh
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(CompressedFileNames) <= 3.0.4-1
/bin/sh
libc.so.6
libc.so.6(GLIBC_2.0)
libhd.so.10
libsysfs.so.1
rpmlib(PayloadIsBzip2) <= 3.0.5-1
-Req:
+Prq:
/bin/sh
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(PayloadIsBzip2) <= 3.0.5-1
-Prq:
+Prv:
3ddiag = 0.724-3
-Prv:
=Grp: System/Base
=Lic: GPL
=Src: 3ddiag 0.724 3 src
=Tim: 1111489970
=Loc: 1 3ddiag-0.724-3.i586.rpm
=Siz: 28015 46735
+Aut:
Stefan Dirsch <sndirsch@suse.de.>
-Aut:
##----------------------------------------
thats the information for one package. 

change the rpms path to somethin like "../../../" isnt possible cause its filterd.

for sure you can simply prevent the admin installing new software with YaST if you destroy the "packages" file but i have noted somethin else too.

if you change the "=Loc" parameter e.g. to the following:

=Loc: 1 AAAAAAAA["A"x515]AAA3ddiag-0.724-3.i586.rpm

and the administrator is trying to install the package it will end in a Segmentation Fault that may be exploitable for an attacker.

---
root:~# yast

[trys to install some stuff]

sbin/yast: line 207:  8447 Speicherzugriffsfehler  (core dumped) $ybindir/y2base menu ncurses

badass@linux:~> gdb /usr/lib/YaST2/bin/y2base core.8447 -q
[...]
Reading symbols from /usr/lib/libncursesw.so.5...done.
Loaded symbols for /usr/lib/libncursesw.so.5
Reading symbols from /usr/lib/libpanelw.so.5...done.
Loaded symbols for /usr/lib/libpanelw.so.5
Reading symbols from /usr/lib/YaST2/plugin/libpy2ag_system.so.2...done.
Loaded symbols for /usr/lib/YaST2/plugin/libpy2ag_system.so.2
Reading symbols from /usr/lib/YaST2/plugin/libpy2ag_ini.so.2...done.
Loaded symbols for /usr/lib/YaST2/plugin/libpy2ag_ini.so.2
Reading symbols from /usr/lib/YaST2/plugin/libpy2Pkg.so.2...done.
Loaded symbols for /usr/lib/YaST2/plugin/libpy2Pkg.so.2
Reading symbols from /usr/lib/YaST2/plugin/libpy2ag_xml.so.2...done.
Loaded symbols for /usr/lib/YaST2/plugin/libpy2ag_xml.so.2
Reading symbols from /usr/lib/libxml2.so.2...done.
Loaded symbols for /usr/lib/libxml2.so.2
Reading symbols from /usr/lib/YaST2/plugin/libpy2ag_hwprobe.so.2...done.
Loaded symbols for /usr/lib/YaST2/plugin/libpy2ag_hwprobe.so.2
Reading symbols from /lib/libhd.so.10...done.
Loaded symbols for /lib/libhd.so.10
Reading symbols from /lib/libsysfs.so.1...done.
Loaded symbols for /lib/libsysfs.so.1
Reading symbols from /usr/lib/libiw.so.28...done.
Loaded symbols for /usr/lib/libiw.so.28
#0  0xffffe410 in ?? ()
(gdb) i r
eax            0x1      1
ecx            0x4010d9e9       1074846185
edx            0x1      1
ebx            0x7      7
esp            0x4127c3a4       0x4127c3a4
ebp            0x4127c3d8       0x4127c3d8
esi            0x80ef104        135196932
edi            0x80ef0d8        135196888
eip            0xffffe410       0xffffe410
eflags         0x293    659
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51


-----

as there is no need to have the directory worldwritable it should be chmoded to somethin different.


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру