[H-GEN] [ksrt at dec.net: [linux-security] KSR[T] Advisory #3: updatedb / crontabs]
Aaron Howell
aaron at sunrise.cnl.com.au
Tue Oct 7 22:45:36 EDT 1997
-----Forwarded message from "KSR[T]" <ksrt at dec.net>-----
-----
KSR[T] Website : http://www.dec.net/ksrt
E-mail: ksrt at dec.net
-----
KSR[T] Advisory #003
Date: Aug 05, 1997
ID #: lin-cron-003
Operating System(s): Redhat linux 4.1, SuSE Linux 5.0, Slackware 3.3
Affected Program: updatedb / crontabs
Problem Description: There are numerous problems in the default root crontabs
for several flavors of UNIX. This advisory will contain
a brief description of several vulnerabilities that we
have discovered.
Redhat Linux 4.1: updatedb contains several security
holes. Updatedb will send the results of a find
command string to sort. Sort will use /tmp to store
temp files, and it will follow symbolic links. A
creative attacker can create files in a world writable
directory that allows them to control what data will
be written to the symbolic link.
SuSE Linux 5.0: makewhatis uses /tmp, this allows
attackers to overwrite files as root. They cannot
control the data being written.
The system crontab also calls updatedb.
check_log_file() contains a SERIOUS security hole that
will allow an intruder to write over any file on the
system, with whatever he/she wants. There are numerous
other /tmp file problems with the default crontab,
it is highly recommended that you upgrade immediately.
( See Patch/Fix section )
Slackware 3.3 also comes with a vulnerable version
of updatedb installed.
Compromise: updatedb can allow any local user to execute commands
as any user, including root.
SuSE's default crontab can allow local users to execute
commands as root.
makewhatis can allow local users to overwrite/create
any file on the system.
Patch/Fix:
Redhat
------
This problem was fixed in Redhat 4.2.
S.u.S.E
-------
Fixes for S.u.S.E. Linux 5.0:
-----------------------------
ftp://ftp.suse.com/pub/suse_update/S.u.S.E.-5.0/a1/aaa_base.rpm
md5:
1ea3b7c6760b6e8db98b49897ba47ad1 aaa_base.rpm
ftp://ftp.suse.com/pub/suse_update/S.u.S.E.-5.0/ap1/makewhat.rpm
md5:
e22df292fe878397cbe800ff796c3a0b makewhat.rpm
Fixes for S.u.S.E. Linux 4.4.1 (should work for older versions too):
--------------------------------------------------------------------
ftp://ftp.suse.com/pub/suse_update/S.u.S.E.-4.4.1/a1/aaa_base.tgz
md5:
4c0bff940210b83c00564595fd3e35b3 aaa_base.tgz
ftp://ftp.suse.com/pub/suse_update/S.u.S.E.-4.4.1/ap1/makewhat.tgz
md5:
503e1678dea767bf2cdab04282777c73 makewhat.tgz
--
----------------------------------------------------------------------
Please refere to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe test-list-request at redhat.com < /dev/null
-----End of forwarded message-----
--
Aaron Howell. Q.U.T Equity Department, Technical Support/Training.
work: a.howell at qut.edu.au Linux/Networking Support.
home: a.howell at student.qut.edu.au phone +61-412-956-467
www: http://www2.cnl.com.au/~aaron irc: DaRkAnGeL
Support the efforts of the Coalition Against Unsolicited Commercial Email.
http://www.cauce.org for details. help stamp out internet junkmail.
----------------------- HUMBUG General List --------------------------------
echo "unsubscribe general" | mail majordomo at humbug.org.au # To Unsubscribe
More information about the General
mailing list