-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Advisory
October 6, 2000

Insecure call of external programs in Red Hat Linux tmpwatch

Synopsis:

The tmpwatch utility is used in Red Hat Linux to remove temporary files. This
utility has an option to call the "fuser" program, which verifies if a file is
currently opened by a process. The fuser program is invoked within tmpwatch by
calling the system() library subroutine. Insecure handling of the arguments to
this subroutine could potentially allow an attacker to execute arbitrary
commands.

Impact:

This vulnerability may allow local attackers to compromise superuser access if
tmpwatch is used by the administrator in a non-default manner.

Affected Versions:

Red Hat Linux 7.0 (tmpwatch v2.5.1)
Red Hat Linux 6.2 (tmpwatch v2.2)

Use the 'rpm -q tmpwatch' command to verify which version is installed. The
tmpwatch package as well as the package containing fuser are included in the
default base installation. By default, tmpwatch with the fuser option is not
used in any package shipped with the Red Hat distributions.

Description:

The tmpwatch tool removes files that have not been modified or accessed within
a specified amount of time. It was designed to securely remove files by
avoiding typical race condition vulnerabilities. System administrators usually
run this tool periodically to remove old temporary files in world-writeable
directories.

The tmpwatch tool uses the --fuser or -s options to avoid removing a file that
is in an open state in another process.  This option uses the system() library
subroutine to call the external program /sbin/fuser with the file name being
examined as an argument.  The system() subroutine spawns a shell to execute the
command.  An attacker may create a file name containing shell metacharacters,
which could allow them to execute arbitrary commands if tmpwatch with the
fuser option is used to remove the file.

Source code comparison between the Red Hat Linux 6.2 and 7.0 tmpwatch packages
suggests this vulnerability was recognized and a fix was attempted. However,
the fix is incorrect, and the vulnerability is still exploitable.

Recommendations:

Do not use the --fuser or -s options with tmpwatch.

Red Hat has issued the following RPMs that contain fixes for this
vulnerability.

Red Hat Linux 6.2:

alpha:
ftp://updates.redhat.com/6.2/alpha/tmpwatch-2.6.2-1.6.2.alpha.rpm

sparc:
ftp://updates.redhat.com/6.2/sparc/tmpwatch-2.6.2-1.6.2.sparc.rpm

i386:
ftp://updates.redhat.com/6.2/i386/tmpwatch-2.6.2-1.6.2.i386.rpm

sources:
ftp://updates.redhat.com/6.2/SRPMS/tmpwatch-2.6.2-1.6.2.src.rpm

Red Hat Linux 7.0:

i386:
ftp://updates.redhat.com/7.0/i386/tmpwatch-2.6.2-1.7.i386.rpm

sources:
ftp://updates.redhat.com/7.0/SRPMS/tmpwatch-2.6.2-1.7.src.rpm

Verification:

MD5 sum                           Package Name
- --------------------------------------------------------------------------
b8a670944cc54fd39c9eefb79f147ec1  6.2/SRPMS/tmpwatch-2.6.2-1.6.2.src.rpm
39fe4fbf666e5f9a40503134c05046d8  6.2/alpha/tmpwatch-2.6.2-1.6.2.alpha.rpm
84609abc355fde23ce878e4d310766f8  6.2/i386/tmpwatch-2.6.2-1.6.2.i386.rpm
f4625e9bc27af011a614eaa146586917  6.2/sparc/tmpwatch-2.6.2-1.6.2.sparc.rpm
b1a9201c44a5f921209c9b648ba85ada  7.0/SRPMS/tmpwatch-2.6.2-1.7.src.rpm
8acf394469c47a98fcc589dd0d73b98c  7.0/i386/tmpwatch-2.6.2-1.7.i386.rpm

These packages are GPG signed by Red Hat, Inc. for security.  Red Hat's key
is available at:
    http://www.redhat.com/corp/contact.html

You can verify each package with the following command:
    rpm --checksig  <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg <filename>


Developer Recommendations:

If an external program needs to be called within a process, try to avoid the
system() subroutine. Use the execve() subroutine instead.  See the Secure
UNIX Programming FAQ for details:

http://www.whitefang.com/sup/secure-faq.html#INPUT3

Additional Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the Name
CAN-2000-0816 to this issue. This is a candidate for inclusion in the CVE
list http://cve.mitre.org, which standardizes names for security problems.

Credits:

This vulnerability was discovered and researched by Allen Wilson and Aaron
Campbell of the ISS X-Force.

The vendor contact in regards to this vulnerability was performed with the
help of the SecurityFocus.com Vulnerability Help Team. For more
information or assistance drafting advisories please mail
vulnhelp@securityfocus.com.

_____

About Internet Security Systems (ISS)
Internet Security Systems (ISS) is a leading global provider of security
management solutions for the Internet. By providing industry-leading
SAFEsuite security software, remote managed security services, and
strategic consulting and education offerings, ISS is a trusted security
provider to its customers, protecting digital assets and ensuring safe
and uninterrupted e-business. ISS' security management solutions protect
more than 5,500 customers worldwide including 21 of the 25 largest U.S.
commercial banks, 10 of the largest telecommunications companies and
over 35 government agencies. Founded in 1994, ISS is headquartered in
Atlanta, GA, with additional offices throughout North America and
international operations in Asia, Australia, Europe, Latin America and
the Middle East. For more information, visit the Internet Security
Systems web site at www.iss.net or call 888-901-7477.

Copyright (c) 2000 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part of
this Alert in any other medium excluding electronic medium, please
e-mail xforce@iss.net for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well
as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBOd5lczRfJiV99eG9AQFcWwQAje1iGLZa2YWJ+i8dDm8MvJa64F1+ABb3
G0EuESss5yQw8FV1XO7r8JfjU9UndMNg1i7r5xmWCbUIXuP5M6EHsITubt6qoRy+
UyyEKpQs6t7Gixxs4rVdc+ztdxV2nARvPzorZUBAthPn7lDbPWDTVYpzubgbW7Pq
Lto9f6L0w6c=
=6aRu
-----END PGP SIGNATURE-----