COMMAND

    admin

SYSTEMS AFFECTED

    Linux systems running admin-v1.2 and older ones (others?)

PROBLEM

    admin-v1.2 package  is a  system administration  tool.   This tool
    can be  obtained from  Sunsite (system/Admin).   Actually, several
    vulnerabilities exist  in the  admin-v1.2 package,  an interactive
    system managment tool by Emmett Sauer and Linux Business Systems.

    By  exploiting  those  vulnerabilities,  local  users  can   erase
    arbitrary files on the system, regardless of access permissions.

    admin-v1.2 does  not properly  handle temporary  files. It  writes
    user  menu  choices  and  more  to  temporary  files  in  the /tmp
    directory.  These files  are named using the  syntax /tmp/name.$$,
    some do not even use the $$ suffix. Unfortunatly, admin-v1.2  does
    not check  if these  files exist  and will  follow symlinks. It is
    then possible to overwrite any file on the system.

    An attacker could for example link any of these temporary files to
    /etc/passwd  or  /.rhosts  and  wait  for the administrator to use
    admin-v1.2.  The  target  file  would  be  erased  or trashed with
    random data.  It may  also be  possible to  use admin-v1.2 to gain
    root privileges, though there is  no such report.  Credit  goes to
    Nicolas Dubee.

SOLUTION

    Remove the admin-v1.2 package.