======/tmp Symlink Vulnerability with ZeroG's InstallAnywhere5====== //December 20, 2002//

**I. BACKGROUND**

InstallAnywhere (www.zerog.com) is a software framework that simplifies software installation on multiple client and server platforms. This software is utilized by such vendors like LimeWire (www.limewire.org). During execution this software insecurely creates two file in /tmp that can be used to clobber system files through symlink attacks. During the creation of one file a race condition exists to determine the filename the other requires no guesswork.

**II. DESCRIPTION**

I noticed InstallAnywhere creates the following files in /tmp:

persistent_state

env.properties.NNNNN

Where NNNNN is the current process id or ($$)

These files can be used to clobber system files if the installation software is run as root. A malicious attacker can create a symlink in /tmp to point to a critical system file. This system file will be over written with the contents of the temporary file. For example

''[nobody $] ln -s /etc/passwd /tmp/persistent_state''

Then if root runs software utilizing the InstallAnywhere software (in my case it was LimeWire) the contents of /etc/passwd will be overwritten with the contents of persistent_state.

The env.properties.NNNNN file appears to be created during the execution of InstallerData/makeExecutable/laxunix.sh

The persistent_state file might be created during the execution of ./InstallerData/com/zerog/registry/UUID.class

A basic check with 'strings' leads me to believe this.

**III. ANALYSIS**

Local attackers can exploit this vulnerability to clobber root owned system files, this could possibly lead to a denial of service or system compromise.

**IV. DETECTION**

If software utilizes InstallAnywhere v5.0.6 to perform system installation then you are vulnerable. I tested the enterprise edition that I downloaded from them for a free evaluation.

**V. WORKAROUND**

Boot the system into single user mode only and ensure no other users are logged in during installation.

**VI. VENDOR FIX**

Vendor Notifed 11/30/2002. No response.

**VII. CVE INFORMATION**

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has not assigned an identification number to this issue.

**VIII. DISCLOSURE TIMELINE** 

12/20/2002      Issue disclosed to iDEFENSE
7/20/2004       Released two years old.

**IX. CREDIT**

Larry W. Cashdollar (http://vapid.dhs.org) discovered this vulnerability.