[UNIX] Etnus TotalView Default Ownership Problems
From: support@securiteam.comDate: 03/26/02
- Previous message: support@securiteam.com: "[UNIX] Instant Web Mail Additional POP3 Commands and Mail Headers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Tue, 26 Mar 2002 20:48:38 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Etnus TotalView Default Ownership Problems
------------------------------------------------------------------------
SUMMARY
<http://www.etnus.com/Products/TotalView/> Etnus TotalView is a
multiprocessor source-level debugger for programs written in the C, C++,
and FORTRAN programming languages. TotalView is part of a suite of
programming tools from Etnus, LLC. A security vulnerability in the product
caused by problematic permission settings allows local attackers to gain
arbitrary privileges.
DETAILS
Vulnerable systems:
Etnus TotalView version 5.0.0-4
The installation program fails to install the files used by the program
with ownership of root:root, this could lead to a possible root comprise.
This is due to the fact the insecure UIDs are used (If you have uid 5039,
or can get it, or a gid of 59, or can get it, you can exploit the
condition).
Demonstration:
[andrewg@blackhole advisories]$ ls -alF /usr/local/toolworks/
total 16
drwxrwxr-x 4 root root 4096 Mar 24 16:29 ./
drwxr-xr-x 19 root root 4096 Mar 24 16:29 ../
drwxrwxr-x 5 root root 4096 Mar 24 16:29 flexlm-6.1/
drwxrwxr-x 12 root root 4096 Mar 24 16:29 totalview.5.0.0-4/
[andrewg@blackhole advisories]$ ls -alF
/usr/local/toolworks/totalview.5.0.0-4/
total 56
drwxrwxr-x 12 root root 4096 Mar 24 16:29 ./
drwxrwxr-x 4 root root 4096 Mar 24 16:29 ../
drwxrwxr-x 2 5039 59 4096 Mar 24 16:29 bin/
drwxrwxr-x 3 5039 59 12288 Jan 8 01:33 bitmaps/
drwxrwxr-x 2 5039 59 4096 Jan 8 01:36 fonts/
drwxrwxr-x 4 5039 59 4096 Feb 8 02:43 help/
drwxrwxr-x 2 5039 59 4096 Jan 9 06:31 include/
drwxrwxr-x 2 5039 59 4096 Jan 9 06:31 lib/
drwxrwxr-x 7 5039 59 4096 Jan 8 02:12 linux-x86/
drwxrwxr-x 3 5039 59 4096 Jan 8 01:36 man/
drwxrwxr-x 2 5039 59 4096 Jan 8 01:27 mri/
drwxrwxr-x 3 5039 59 4096 Jan 9 06:30 X11/
[andrewg@blackhole advisories]$ ls -alF /usr/local/toolworks/flexlm-6.1/
total 32
drwxrwxr-x 5 root root 4096 Mar 24 16:29 ./
drwxrwxr-x 4 root root 4096 Mar 24 16:29 ../
drwxrwxr-x 2 5039 59 4096 Jan 8 01:25 bin/
drwxrwxr-x 4 5039 59 4096 Jan 8 01:25 doc/
drwxrwxr-x 3 5039 59 4096 Jan 8 02:12 i386-linux/
-r--r--r-- 1 5039 59 228 Jan 8 01:24 license.opt.src
-r--r--r-- 1 5039 59 6959 Jan 8 01:24 README
[andrewg@blackhole advisories]$ ls -alF
/usr/local/toolworks/flexlm-6.1/i386-linux/bin/
total 3244
drwxrwxr-x 2 5039 59 4096 Jan 8 02:12 ./
drwxrwxr-x 3 5039 59 4096 Jan 8 02:12 ../
-r-xr-xr-x 10 5039 59 260572 Jan 8 02:12 lmcksum*
-r-xr-xr-x 10 5039 59 260572 Jan 8 02:12 lmdiag*
-r-xr-xr-x 10 5039 59 260572 Jan 8 02:12 lmdown*
-r-xr-xr-x 1 5039 59 260244 Jan 8 02:12 lmgrd*
-r-xr-xr-x 10 5039 59 260572 Jan 8 02:12 lmhostid*
-r-xr-xr-x 10 5039 59 260572 Jan 8 02:12 lmremove*
-r-xr-xr-x 10 5039 59 260572 Jan 8 02:12 lmreread*
-r-xr-xr-x 10 5039 59 260572 Jan 8 02:12 lmstat*
-r-xr-xr-x 10 5039 59 260572 Jan 8 02:12 lmswitchr*
-r-xr-xr-x 10 5039 59 260572 Jan 8 02:12 lmutil*
-r-xr-xr-x 10 5039 59 260572 Jan 8 02:12 lmver*
-r-xr-xr-x 1 5039 59 377356 Jan 8 02:12 toolworks*
[andrewg@blackhole advisories]$ ls -alF
/usr/local/toolworks/totalview.5.0.0-4/linux-x86/bin/
total 15960
drwxrwxr-x 2 5039 59 4096 Mar 24 16:29 ./
drwxrwxr-x 7 5039 59 4096 Jan 8 02:12 ../
-r-xr-xr-x 1 5039 59 4727166 Jan 8 02:15 hyperhelp*
lrwxrwxrwx 1 5039 59 13 Mar 24 16:29 totalview ->
./../bin/tv5*
lrwxrwxrwx 1 5039 59 16 Mar 24 16:29 totalviewcli ->
./../bin/tv5cli*
lrwxrwxrwx 1 5039 59 13 Mar 24 16:29 tv5 ->
./../bin/tv5*
lrwxrwxrwx 1 5039 59 16 Mar 24 16:29 tv5cli ->
./../bin/tv5cli*
-r-xr-xr-x 1 5039 59 3412128 Feb 5 01:00 tv5climain*
-r-xr-xr-x 1 5039 59 6005964 Feb 5 00:59 tv5main*
lrwxrwxrwx 1 5039 59 16 Mar 24 16:29 tvdsvr ->
./../bin/tvdsvr*
-r-xr-xr-x 1 5039 59 373208 Feb 5 01:00 tvdsvrmain*
-r-xr-xr-x 1 5039 59 1763856 Jan 8 02:16 vismain*
lrwxrwxrwx 1 5039 59 19 Mar 24 16:29 visualize ->
./../bin/visualize*
As you can see some files have ownership of another user and group beside
root.
ADDITIONAL INFORMATION
The information has been provided by <mailto:nullptr@tasmail.com> Andrew
Griffiths.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Instant Web Mail Additional POP3 Commands and Mail Headers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
