[SRT2001-10] - scoadmin /tmp issues
Date: Tue, 22 May 2001 14:21:00 -0400
From: Richard Johnson <[email protected]>
To: [email protected]
Subject: [SRT2001-10] - scoadmin /tmp issues
Cc: "Recon@Snosoft. Com" <[email protected]>, [email protected]
Strategic Reconnaissance Team Security Advisory(SRT2001-10)
Topic: scoadmin /tmp issues
Vendor: Santa Cruz Operations
Release Date: 05/07/01
.: Description
scoadmin makes poor use of /tmp. File names are very predictable
.: Impact
As a user: ln -s /etc/passwd /tmp/tclerror.1195.log
Wait for root to run scoadmin from xwindows and viola!
When he does, he will clobber /etc/passwd with a garbage file.
In order to get the /tmp/tclerror.pid.log you need for root to have an
improper term or cause some other error to happen.
A good way to force an error is to stop xm_vtcld from opening...
kindly leave a file where it wants its socket and it will complain.
As a normal user: touch /tmp/5111_342.0
When root goes to run sco admin he will get an error and clobber his
passwd file due to the ln -s on the tclerror.PID.log you left for him.
.: Workaround
Don't use scoadmin.
.: Systems Affected
Unixware 5.x
.: Proof of Concept
ln -s /etc/passwd /tmp/tclerror.1195.log
.: Vendor Status
A copy of this advisory was mailed to their attention
.: Credit
Kevin Finisterre
[email protected]
.: DISCLAIMER
©Copyright 2001 Secure Network Operations , Inc. All Rights Reserved.
Strategic Reconnaissance Team | [email protected]
http://recon.snosoft.com | http://www.snosoft.com
