Date: Sat, 19 Aug 2000 16:29:16 +0100 From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK> Subject: Multiple Local Vulnerabilities in Helix Gnome Installer To: BUGTRAQ@SECURITYFOCUS.COM Multiple Vulnerabilities In Helix Gnome Installer 0.2 VULNERABILITIES: The Helix installer contains multiple locally exploitable vulnerabilities. 1. Several of the gdmify functions are vulnerable to attack because they use system and /tmp in unsafe manners > SuSE and Caldera A mkdir of the right path by any user prior to root running the Helix Installer will blank real config files losing parts of the users system configuration. > Other The other cases appear safe basically by chance. 2. The downloader tries to use a /tmp/helix_install directory, which at first seems a good idea. Unfortunately rc = mkdir(download_dir, 0600); if (rc < 0) { if (errno != EEXIST) { error_box(g_strdup_printf("Helix GNOME Update was exit(1); } } In other words, if I get there first and create a mode 777 directory the Helix user may end up installing arbitarily modified packages from a local attacker. 3. When the user quits the updater the updating code on the version inspected attempts to delete the files in the download directory. Unfortunately due to an elementary coding error it deletes each file in the download directory with a corresponding file in /var/tmp Bugs 2 and 3 combine to allow any hostile local user to make the user of the Helix Updater delete arbitary files. There are other potential holes in the check_rpm code but these depend on the XML database file fetched from helixcode.com being compromised. It would appear possible to create a remote exploit based on DNS spoofing to feed such a tampered XML file to the Installer but this would be an extremely tricky stunt and has not been attempted. Oddly enough given these errors the usual buffer overrun bugs appear absent. The authors make religious use of glib safe string functionality. WORKAROUND: Firstly if you have no untrusted users on the machine you need not worry about bugs 1-3. This means the majority of users need not worry. If you have untrusted users you should set the download directory rather than use the tmp default. A user will be able to delete arbitary files in the directory you use but this can be a new empty directory so this is an acceptable workaround. Be sure to also change the download directory in instances of the updater run from cron or at. NOTES: Helixcode were notified about this on the 7th August.