COMMAND
updatedb / crontabs
SYSTEMS AFFECTED
Redhat 4.1, SuSE Linux 5.0, Slackware 3.3, SunOS 5.5.1, FreeBSD 2.2.2
PROBLEM
Following info is based on KSR[T] Advisory #3. There are numerous
problems in the default root crontabs for several flavors of UNIX.
KRS[T] advisory contained a brief description of several
vulnerabilities that they have discovered.
REDHAT LINUX 4.1: updatedb contains several security holes.
Updatedb will send the results of a find command string to sort.
Sort will use /tmp to store temp files, and it will follow
symbolic links. A creative attacker can create files in a world
writable directory that allows them to control what data will be
written to the symbolic link.
SuSE LINUX 5.0: makewhatis uses /tmp, this allows attackers to
overwrite files as root. They cannot control the data being
written. The system crontab also calls updatedb. check_log_file()
contains a SERIOUS security hole that will allow an intruder to
write over any file on the system, with whatever he/she wants.
There are numerous other /tmp file problems with the default
crontab, it is highly recommended that you upgrade immediately.
SLACKWARE 3.3 also comes with a vulnerable version of updatedb
installed.
updatedb can allow any local user to execute commands as any user,
including root. SuSE's default crontab can allow local users to
execute commands as root. makewhatis can allow local users to
overwrite/create any file on the system.
Here'some additional info. When it sorts the files that find
gets, it creats a few files in /tmp called sort0<pid>000{1,2,etc}.
Each is around 512k. The first file is created and filled, then
if necassary, another is created and so on until it has your whole
filesystem into a nice database. Once the first file is created
you can easily guess what the next filename will be called as only
the last character will change. If you create a link to say, the
shadow password file, updatedb will kindly overwrite it for you.
Example (assuming updatedb is running in the background):
$ ls /tmp
sort012340000 sort012340001
$ ln -s /etc/shadow /tmp/sort012340002
<wait for awhile to give updatedb time to write to our link>
$ ls /tmp
sort012340000 sort012340001 sort012340002 sort012340003
It's done, it will now clear out it's files from /tmp. Now go look
at the shadow password file. It will be quite larger then it was
before. About 512k is it's new size. With this you can write to
/etc/shells so you can ftp into the system no matter what your
specified shell is (credit to cain).
On SunOS 5.5.1 filenames are of the form /var/tmp/stmAAAa003M_aa,
and the files are typically smaller. The M_ part, at least,
appears to change from run to run, but it doesn't change within a
run. Solaris 5.5.1 sort doesn't check for symlinks before it
opens the file so it is possible to overwrite a file.
SOLUTION
It should be pointed out that on Red Hat 4.2 and 5.0 updatedb runs
as user nobody by default.. one work around is to set the TMPDIR
environment variable to a directory that only root can access.
Sort will then write its temporary files to that directory instead
of /tmp.
S.u.S.E
-------
Fixes for S.u.S.E. Linux 5.0:
ftp://ftp.suse.com/pub/suse_update/S.u.S.E.-5.0/a1/aaa_base.rpm
ftp://ftp.suse.com/pub/suse_update/S.u.S.E.-5.0/ap1/makewhat.rpm
Fixes for S.u.S.E. Linux 4.4.1 (should work for older versions
too):
ftp://ftp.suse.com/pub/suse_update/S.u.S.E.-4.4.1/a1/aaa_base.tgz
ftp://ftp.suse.com/pub/suse_update/S.u.S.E.-4.4.1/ap1/makewhat.tgz