From dube0866@EUROBRETAGNE.FR Fri Aug 8 05:04:01 1997 Date: Sat, 1 Jan 1994 23:09:09 +0100 From: Nicolas Dubee To: BUGTRAQ@NETSPACE.ORG plaguez security advisory n. 7 admin-v1.2 vulnerabilities Program: the admin-v1.2 package, a system administration tool. Version: current (v1.2) older ones. OS: verified on Linux, maybe others too. Problem: temporary files / symlinks Impact: any file on an affected system can be overwritten, regardless of access permissions. hello, this week, I'll focus on a little sysadmin tool called admin-v1.2 (found on Sunsite: system/Admin/), and I'll show how several little vulnerabilities can be exploited to trash any file on an affected system. as always, sorry if it's known stuff. Description: ------------ Several vulnerabilities exist in the admin-v1.2 package, an interactive system managment tool by Emmett Sauer and Linux Business Systems. By exploiting those vulnerabilities, local users can erase arbitrary files on the system, regardless of access permissions. admin-v1.2 does not properly handle temporary files. It writes user menu choices and more to temporary files in the /tmp directory. These files are named using the syntax /tmp/name.$$, some do not even use the $$ suffix. Unfortunatly, admin-v1.2 does not check if these files exist and will follow symlinks. It is then possible to overwrite any file on the system. An attacker could for example link any of these temporary files to /etc/passwd or /.rhosts and wait for the administrator to use admin-v1.2. The target file would be erased or trashed with random data. It may also be possible to use admin-v1.2 to gain root privileges, though I did not manage to do it. Fix: ---- Remove the admin-v1.2 package. well, that's it for this week. Next week, next hole ! :) --------------------------- plaguez dube0866@eurobretagne.fr http://plaguez.insomnia.org --------------------------- _Free_ security probes, Unix programming. ps.: the above url courtesy of TheFloyd.