Date: Wed, 17 Jan 2001 03:58:56 +0100 From: Roman Drahtmueller <draht@SUSE.DE> Subject: Re: Serious security flaw in SuSE rctab To: BUGTRAQ@SECURITYFOCUS.COM On Sat, 13 Jan 2001, Paul Starzetz wrote: > From: Paul Starzetz <paul@STARZETZ.DE> > To: BUGTRAQ@SECURITYFOCUS.COM > Date: Sat, 13 Jan 2001 19:15:51 +0100 > Subject: Serious security flaw in SuSE rctab > > Hi @ll, > > it seems that the problem described below has not been discussed on > Bugtraq. Does that mean you wouldn't have reported it otherwise? Why? No, it's public for the first time. Before writing to bugtraq, you could have communicated it to us. It was sent to feedback@suse.de, our address for bugs, RFE and such, at around the time when your mail was submitted to bugtraq. <security@suse.de>, our contact address for security-related issues, was not addressed. Your mail reveals that your primary intention was _not_ to improve security: You failed to report this problem, and there is no hint on how to fix it. Please let me do that, then (search for "Solution"!). - > Problem description > ------------------- > > Due to a various race conditions in the init level editing script > /sbin/rctab it is possible for any local user to overwrite any system's I confirm that a problem exists with the rctab script from the aaa_base package in SuSE-6.0, 6.1, 6.2, 6.3, 6.4, 7.0, all platforms, as well as the SuSE-5.x distributions. However, the description of the problem is not acurrate. The race condition is a result of a failure to create a directory to store the temporary file in. The mkdir command used does not take into account that the directory, if it exists already, might not belong to root or may be writeable for attackers. `chown root:root´ is clearly a wrong step since this would introduce a race in a 1777- directory again. The relevant piece of the /sbin/rctab shell script reads as follows: ___[snip] tmpdir=/tmp/rctmpdir.$$ tmp="${tmpdir}/rctmp" trap "rm -rf $tmpdir" 0 1 3 4 7 9 13 15 trap "exit 1" 2 mkdir -p ${tmpdir} if test $? -gt 0 -o ! -d ${tmpdir} ; then echo "Error $0: cannot create $tmpdir" 1>&2 exit 1 fi chmod 0700 $tmpdir # # make sort secure # export TMPDIR=$tmpdir ___[snip] As you can see, `mkdir -p ...´ is used to create a directory within /tmp. `mkdir -p´ does not return an error if the directory exists already. Thus, the error condition that should be detected is not reached, and the program does not exit. Solution for the problem: remove the only occurrence of the string "-p " in the file /sbin/rctab. Change the line mkdir -p ${tmpdir} to read mkdir ${tmpdir} Of course, we will provide update packages for the supported distributions 6.x and 7.0 (that will fix some more (rather minor) problems.). Future versions of the SuSE distributions do not contain the rctab script any more. Only small comments of academic nature following now. > file with arbitrary data. This may result in denial of service attack, > local or even remote root compromise, if root runs the /sbin/rctab > script. To achieve a remote root compromise, local root privilege is required. Therefore, it is not a remote root compromise. > Details > ------- > > The /sbin/rctab script doesn't check for links writing the temporary > rctmp file to /tmp/rctmpdir.$PID dir. Also the directory created isn't > chown'ed root. Because the PID of the rctab script can be guessed (or `chown root.root´ doesn't make sense from the security standpoint. If the directory is created, it belongs to root. If it doesn't, then you would not want it and abort the script. chown of a (pontially) user-owned file is definitely not the way to go. _From within a c program, fchown(2) is ok if you made sure that the file (that you hold open) is the one you wanted. It is even necessary to safely unlink(2) it later to avoid a race in a 1777-directory (because there is no "funlink(2)"). > looked up, however), any local user can replace the temporary rctmp file > with arbitrary content. This can be exploited in one of the following > manners: > [deleted down to EOF] Roman Drahtmüller, SuSE security. -- - - | Roman Drahtmüller <draht@suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -