From xforce@iss.net Wed Jul 12 21:22:26 2000 From: X-Force Resent-From: mea culpa To: alert@iss.net Resent-To: jericho@attrition.org Date: Wed, 12 Jul 2000 18:47:23 -0400 Subject: ISSalert: Internet Security Systems Security Advisory: Insecure temporary fi= le handling in Linux makewhatis Sender: owner-alert@iss.net Precedence: bulk Reply-To: X-Force X-Loop: alert TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D This advisory is a multi-vendor issue, and some vendors have distributed resolutions in advance of the ISS advisory after being informed of the vulnerability. This advisory is being distributed to provide additional information about the scope of the vulnerability and to detail which Linux distributions were tested and found to be vulnerable or not vulnerable. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D Internet Security Systems Security Advisory July 12, 2000 Insecure temporary file handling in Linux makewhatis Synopsis: Internet Security Systems (ISS) X-Force has identified a vulnerability in the makewhatis Bourne shell script that ships with many Linux distributions= =2E It is found in versions 1.5e and higher of the "man" utility package. Affected Distributions/Versions: Red Hat Linux 5.2 Vulnerable Uses man-1.5e Red Hat Linux 6.0 Vulnerable Uses man-1.5g Red Hat Linux 6.1 Vulnerable Uses man-1.5g Red Hat Linux 6.2 Vulnerable Uses man-1.5h Linux-Mandrake 6.x Vulnerable Uses man-1.5g Linux-Mandrake 7.0 Vulnerable Uses man-1.5g Linux-Mandrake 7.1 Vulnerable Uses man-1.5g Caldera OpenLinux 2.3 Vulnerable Uses man-1.5f Additional Distributions/Versions that were tested and found to be not vulnerable: Debian Linux 2.1 Not Vulnerable Uses man-db Red Hat Linux 5.1 Not Vulnerable Uses man-1.5d Slackware 4 Not Vulnerable Uses Perl script Slackware 7 Not Vulnerable Uses Perl script SuSE 6.3 Not Vulnerable=09=09 Impact: Local users may gain root privileges.=20 Description: The makewhatis program builds the whatis database for use with the "whatis"= , "apropos", and "man" programs to find online documentation. It is typically invoked with root privileges and is scheduled to run periodically (as a cro= n job).=20 A working copy of the database is created as a temporary file in the world-writable /tmp directory. The temporary file is named /tmp/whatis$$, where $$ is the Process ID (PID) of the running makewhatis process. The program does not perform sufficient tests to ensure that the file it is about to create does not already exist. Due to the predictability of proces= s IDs and the limited scope of a PID integer (0-65535), an attacker could exploit the race condition using symbolic links. The problem is greater on Linux systems that ship with makewhatis scheduled to run at a specified time. In these cases, the attacker knows when makewhatis will be run. Recommendations: Linux-Mandrake recommends that affected customers upgrade to: md5sum: f4f87cab84a716a2ccb8c74b3325c0c9 6.0/RPMS/man-1.5g-15mdk.i586.rpm md5sum: 52d021732aa09d517eeff8b60d427a69 6.0/SRPMS/man-1.5g-15mdk.src.rpm md5sum: 2b01457036a6813fa616adbca97fcb36 6.1/RPMS/man-1.5g-15mdk.i586.rpm md5sum: 52d021732aa09d517eeff8b60d427a69 6.1/SRPMS/man-1.5g-15mdk.src.rpm md5sum: ea883685faa409148f9b55c442a0438c 7.0/RPMS/man-1.5g-15mdk.i586.rpm md5sum: 52d021732aa09d517eeff8b60d427a69 7.0/SRPMS/man-1.5g-15mdk.src.rpm md5sum: fbc1b9e04d75f267650f291d99f467f1 7.1/RPMS/man-1.5g-15mdk.i586.rpm md5sum: 52d021732aa09d517eeff8b60d427a69 7.1/SRPMS/man-1.5g-15mdk.src.rpm To upgrade automatically, use =AB MandrakeUpdate =BB. If you want to upgra= de manually, download the updated package from one of the FTP server mirrors and upgrade with "rpm -Uvh package_name". All mirrors are listed at http://www.mandrake.com/en/ftp.php3. Updated packages are available in the "updates/" directory. The Security Update for this vulnerability was issued on 7/7/2000 and can be found at: http://www.linux-mandrake.com/en/fupdates.php3. Fix Information for Red Hat can be found at: http://www.redhat.com/support/errata/rh62-errata-security.html Red Hat Security Advisory RHSA-2000:041-02 issued on 7/3/2000 Fix Information for Caldera Systems can be found at: http://www.calderasystems.com/support/security/advisories/CSSA-2000-021.0.t= xt Caldera Systems, Inc. Security Advisory CSSA-2000-021.0 issued on 7/6/2000 Additional Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the nam= e CAN-2000-0566 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems= =2E Credits: This vulnerability was discovered and researched by Aaron Campbell and Alle= n Wilson of the ISS X-Force. ISS would like to thank Linux-Mandrake and Andries Brouwer for their response and handling of this vulnerability. Red Hat was notified of this vulnerability on 6/28/00. Numerous attempts were made to contact Caldera and a synopsis of the problem was reported to bugs@calderasystems.com on 6/30/00. ______ About Internet Security Systems (ISS)=20 Internet Security Systems (ISS) is a leading global provider of security management solutions for the Internet. By providing industry-leading SAFEsuite security software, remote managed security services, and strategi= c consulting and education offerings, ISS is a trusted security provider to its customers, protecting digital assets and ensuring safe and uninterrupte= d e-business. ISS' security management solutions protect more than 5,500 customers worldwide including 21 of the 25 largest U.S. commercial banks, 1= 0 of the largest telecommunications companies and over 35 government agencies= =2E Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2000 Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent o= f the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at th= e user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well a= s on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net o= f Internet Security Systems, Inc. Revision History=20 July 12, 2000: Initial release. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOWz1ADRfJiV99eG9AQEeBAP/WNBvGzwXJGxIdsSPy/hghfktF0eOqnB2 2VZb1fhm3mhYjB7piY8ygzmG7loRics4mr007/a7pybBMFmPiEax0Z7FcW/TDgZo EtJsTXE/a5dKuzB0H/iJ8kVOJZmcPynAJ0wk7WZLbLcM1HXwBo9hXgrFH/Sg9l6Z +yufRazeQ68=3D =3DIvpT -----END PGP SIGNATURE-----