COMMAND
InoculateIT
SYSTEMS AFFECTED
InoculateIT for Linux
PROBLEM
Chris Wilson found following. He discovered a security flaw (a
/tmp race condition) in Computer Associates' InoculateIT product,
a good virus scanner for Microsoft and UNIX platforms which is
free for personal use. The vulnerability allows local users to
deny service to the system or possibly gain root privileges.
The vulnerability affects some UNIX versions of InoculateIT under
certain conditions. Although we tested the Linux version, this
version is not vulnerable under normal circumstances. However, it
is believed that other UNIX versions are basically identical and,
given the necessary directory layout, will be vulnerable to this
attack.
The update_signature script, at least in the Linux version, calls
ftpdownload to retrieve an updated version of itself. ftpdownload
contains a security vulnerability, and update_signature contains a
self-destruct mechanism.
1. Insecure temporary files.
============================
ftpdownload contains the following lines:
wlog=/tmp/ftpdownload.log
...
$CAIGLBL0000/ino/bin/wget $URL -O $LOCAL_FN > $wlog 2>&1
Because the temporary file /tmp/ftpdownload.log has a well-known,
non-random name and is created in a public /tmp directory, any
user can create a symbolic link from /tmp/ftpdownload.tmp to
another file on the system, and that file will be overwritten.
This requires two preconditions:
a) $CAIGLBL0000/ino/bin/wget must exist, otherwise wget is not run.
b) ftpdownload is run as root
If these preconditions are met, and /tmp/ftpdownload.log is a
symbolic link to, say, /etc/passwd, then that file will be
overwritten next time ftpdownload is run. This may happen
automatically, since the README file gives instructions for
installing it as a cron job which executes automatically every day
at 1am. The result is at least a denial of service, and quite
possibly a root compromise if you overwrite the correct file.
Please note that the advisory contains a small mistake. We have
discovered that it is not possible, as previously thought, to
overwrite any file on the system with arbitrary contents, only
with the contents of an FTP download or error message. We believe
that this mitigates the risk of exploitation, but we could be
wrong.
2. Self-Destruct in update_signature.
=====================================
update_signature helpfully renames the current InoculateIT files
with a .prev extension before downloading an update, in case the
updated files are corrupt or do not work for some reason. However
in the event of a download failure, the .prev files are not
restored to their original named. The virus scanner will then
refuse to run unless these files are renamed manually, or
update_singature.prev is run manually to download a new copy.
An automatic update might fail for a number of reasons, for
example if the user's Internet connection has failed, is busy, or
is under a denial-of-service attack, or if CA's server crashed,
was cracked, or was under heavy load (e.g. around 1am).
SOLUTION
The solution is to modify the script to store the log file in a
secure temp directory, for example:
wlog=$LOCAL_FN.log
The solution for second problem is to change this code:
else
echo "Error $? during tar extract"
exit 16
fi
to:
else
echo "Error $? during tar extract"
for i in inocucmd virsig.dat README.txt update_signature ftpdownload $id_file; do
mv -f $i.prev $i
done
exit 16
fi