![[LWN Logo]](/images/lcorner.png) |
|
![[Timeline]](/images/Included.png) |
Date: Sat, 19 Aug 2000 16:29:16 +0100
From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
Subject: Multiple Local Vulnerabilities in Helix Gnome Installer
To: BUGTRAQ@SECURITYFOCUS.COM
Multiple Vulnerabilities In Helix Gnome Installer 0.2
VULNERABILITIES:
The Helix installer contains multiple locally exploitable vulnerabilities.
1. Several of the gdmify functions are vulnerable to attack because
they use system and /tmp in unsafe manners
> SuSE and Caldera
A mkdir of the right path by any user prior to root running the Helix
Installer will blank real config files losing parts of the users
system configuration.
> Other
The other cases appear safe basically by chance.
2. The downloader tries to use a /tmp/helix_install directory, which
at first seems a good idea. Unfortunately
rc = mkdir(download_dir, 0600);
if (rc < 0) {
if (errno != EEXIST) {
error_box(g_strdup_printf("Helix GNOME Update was
exit(1);
}
}
In other words, if I get there first and create a mode 777 directory
the Helix user may end up installing arbitarily modified packages
from a local attacker.
3. When the user quits the updater the updating code on the version
inspected attempts to delete the files in the download directory.
Unfortunately due to an elementary coding error it deletes each file
in the download directory with a corresponding file in /var/tmp
Bugs 2 and 3 combine to allow any hostile local user to make the user of the
Helix Updater delete arbitary files.
There are other potential holes in the check_rpm code but these depend on
the XML database file fetched from helixcode.com being compromised. It would
appear possible to create a remote exploit based on DNS spoofing to feed
such a tampered XML file to the Installer but this would be an extremely
tricky stunt and has not been attempted.
Oddly enough given these errors the usual buffer overrun bugs appear absent.
The authors make religious use of glib safe string functionality.
WORKAROUND:
Firstly if you have no untrusted users on the machine you need not worry
about bugs 1-3. This means the majority of users need not worry. If you have
untrusted users you should set the download directory rather than use the
tmp default. A user will be able to delete arbitary files in the directory
you use but this can be a new empty directory so this is an acceptable
workaround.
Be sure to also change the download directory in instances of the updater
run from cron or at.
NOTES:
Helixcode were notified about this on the 7th August.