lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <26098517.1076950193@[10.3.62.6]>
Date: Mon, 16 Feb 2004 16:49:53 +0100
From: "Dr. Peter Bieringer" <pbieringer@...asec.de>
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.netsys.com
Subject: Possible race condition in Symantec AntiVirus Scan Engine for Red
 Hat Linux during LiveUpdate


Hi,

during evaluation of Symantec AntiVirus Scan Engine for Red Hat Linux 
(file: Scan_Engine_430-RedHat-1.zip) we found a race condition using 
default configuration.

Like written in "Implementation_Guide.pdf" on page 134 LiveUpdate can be 
triggered by cron via a shell script:

# /opt/SYMCScan/bin/liveupdate.sh -virusdefs
    or
# /bin/sh /opt/SYMCScan/bin/liveupdate.sh -virusdefs

This will create a log file in /tmp with a very predictable name:
 "/tmp/LiveUpdate.log" (with permissions of 644)

# ll /tmp/
-rw-r--r--    1 symantec avdefs       4517 Feb 16 15:05 LiveUpdate.log

This is defined in the config file "liveupdate.conf":

# cat /etc/liveupdate.conf
protocol=http
host=liveupdate.symantec.com
workdir=/tmp
logfile=/tmp/LiveUpdate.log  <---!!!!!!

Impact:
Before first run of LiveUpdate (like suggested in doc, user "symantec" does 
this) a possible race condition via a symlink attack by another user will 
result in the creation of a new file (as user "symantec") or appending 
LiveUpdate log to an existent file (owned by user "symantec").

Additional *important* note:
Because the PDF document doesn't match the as-it-is of the installation (an 
user "symantec" can't execute liveupdate.sh" without adjusting the 
permissions of the shell script and the directory "virusdefs") it's very 
possible, that admins configure the crontab entry for "liveupdate.sh" as 
user "root"!

# ll /opt/SYMCScan/bin/liveupdate.sh
-rwxr-x---    1 root     root        14700 Feb 16 16:16 
/opt/SYMCScan/bin/liveupdate.sh

# ll /opt/SYMCScan |grep virusdefs
drwxr-xr-x    2 root     root         4096 Feb 16 16:16 virusdefs


BTW: The installer uses PID for tmp directory naming, another minor issue...

# ll /tmp/
drwxr-xr-x    2 root     root         4096 Feb 16 15:47 symcinst9918
# ps -ax | grep 9918
  9918 pts/0    S      0:02 sh ./ScanEngine.sh

-> fix to a unpredictable name


BTW2: looks like a temp directory during install has always the same name.
# ll /tmp/
drwx------    2 root     root         4096 Feb 16 16:16 savsetmp

-> fix to a unpredictable name


BTW3: temporary directory during LiveUpdate run has permissions 755
# ll /tmp/
drwxr-xr-x    2 root     root         4096 Feb 16 16:37 1076967476267

-> fix permissions to at least 750, perhaps it's also not the best method 
to use Unix time in milliseconds to name this directory.


Suggestions/workarounds:
* for the software vendor:
    use a better default value, e.g.
      logfile=/var/log/LiveUpdate.log
    Fix permissions of log file to at least 640
    Fix PDF document or/and permissions for
      liveupdate.sh and directory virusdefs
      (and on RHL systems: "/usr/bin/sh" doesn't exist, fix to "/bin/sh")
    Fix predictable directory names during installation
    Fix permissions of temp directory during LiveUpdate run to at least 750
    Fix name of temp directory to a more unpredictable one


* for administrators:
    adjust config file before first run of the LiveUpdate process
    adjust permissions of
      liveupdate.sh and directory virusdefs
      and run liveupdate.sh as non-root user


Regards,
	Dr. Peter Bieringer
-- 
Dr. Peter Bieringer                             Phone: +49-8102-895190
AERAsec Network Services and Security GmbH        Fax: +49-8102-895199
Wagenberger Straße 1                           Mobile: +49-174-9015046
D-85662 Hohenbrunn                       E-Mail: pbieringer@...asec.de
Germany                                Internet: http://www.aerasec.de



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ