[1][USEMAP:frame_r1_c1.gif]   [frame_r1_c3.gif]
   [2]Japanese
   
   SNS Advisory
   [title2_r1_c1.gif]
   
   [3][GoIndex.gif] [4][GoBack.gif] 
   
                                     37
                                      
   [5][GoNext.gif] [6]Japanese Edition
   
   SNS Advisory No.37
   HTTProtect allows attackers to change the protected file using a
   symlink
   
   Problem first discovered: 4 Jun 2001
   Published: 18 Jul 2001
   Last Updated:18 Jul 2001
     _________________________________________________________________
   
   Overview:
   
   HTTProtect is a security product released by Omnisecure
   ([7]http://www.ominisecure.com) which prevents users from changing and
   deleting file on the ext2 file system. Even if attackers gain root
   privilege, it prevents them from changing or deleting protected files.
   However, there is a problem which allows attackers to change protected
   files bypassing the access-control.
   
   Problem Description: 
   
   Even if attackers have root privilege, protected files cannot be
   changed, but they can change protected files under these conditions:
   
   1.Attackers can make symlink in a writable directory(ex. /tmp)
   
   2.They are the owner of the target file or they have root privilege.
   
   example: (A protected file is /opt/www/html/index.html)
   
   $ ln -s /opt/www/html/index.html /tmp/foo
   
   $ vi /tmp/foo (cat /tmp/hack.html > /tmp/foo)
   
     Tested Version:
     
     HTTProtect 1.1.1
     
     Tested OS:
     
     RedHatLinux 6.2-J(Kernel 2.2.14-50)
     
     Patch Information:
     
     The Patch is available at Omnisecure Web site now.
     ([8]http://www.omnisecure.com/products/http/Linux/1.1.1/index.htm)
     
     Discovered by:
     
     TANIDA Fusao (LAC) [9]tanida@lac.co.jp
     
     Disclaimer:
     
     All information in these advisories are subject to change without
     any advanced notices neither mutual consensus, and each of them is
     released as it is. LAC Co.,Ltd. is not responsible for any risks of
     occurrences caused by applying those information.
     _________________________________________________________________
   
     Copyright(c) 1995-2002 Little eArth Corporation

References

   1. LYNXIMGMAP:http://www.lac.co.jp/security/english/snsadv_e/37_e.html#r1_c1Map
   2. http://www.lac.co.jp/security/index.html
   3. http://www.lac.co.jp/security/english/snsadv_e/index.html
   4. http://www.lac.co.jp/security/english/snsadv_e/36_e.html
   5. http://www.lac.co.jp/security/english/snsadv_e/38_e.html
   6. http://www.lac.co.jp/security/intelligence/SNSAdvisory/37.html
   7. http://www.ominisecure.com/
   8. http://www.omnisecure.com/products/http/Linux/1.1.1/index.htm
   9. mailto:tanida@lac.co.jp