COMMAND

    satan, cops & tiger

SYSTEMS AFFECTED

    Some systems with satan, cops & tiger

PROBLEM

    Marc Heuse  found following  /tmp race  conditions in  the popular
    security programs cops 1.04, satan 1.1.1 and tiger 2.2.3 ...   All
    the following bugs can be used to create or overwrite any file  on
    the system, because these applications run usually under the  root
    id.   Therefore a  denial-of-service and  depending on  the system
    configuration (and 'luck') a root compromise possible.

    Satan v1.1.1
    ============
    in the file bin/rex.satan:

        tmp_file=/tmp/rex.$$
        trap "$RM -f $tmp_file; exit" 0 1 2 3 15
        [... several lines later ...]
        $REX -a 1,1,1 $target date >$tmp_file 2>/dev/null

    Cops v1.04
    ==========
    in the file res_diff:

        $AWK 'NR > 5' $old_file > /tmp/tmp.$$.foo
        $AWK 'NR > 5' $2 > /tmp/tmp.$$.bar

    in the file checkacct/ca.src:

        (touch /tmp/makedots${THISSHELL};while [ -f /tmp/makedots${THISSHELL} ]; do
                echownl(%.^); sleep 1; done)& 2>&1 >/dev/null;

    touch  follows  this  symlink  ->  any  file can be created on the
    system (what would be a nice attack for this? .nologin for dos?)

in the file extra_src/mail.chk:

        PROG="/usr/tmp/mchk.p$$"
        TEMP="/usr/tmp/mchk.t$$"
        [...]
        $RM -f $PROG
        cat <<'EndOfProg' >$PROG
        [...]
        $RM -f $TEMP
        $LS -lag | $AWK -f $PROG >$TEMP

    Tiger v2.2.3
    ============
    The $WORKDIR  of tiger  2.2.3 is  set to  /tmp and  many temporary
    files  are  being  written  there  (it  would  exeed all limits to
    mention  all   the  lines).    To   prevent  the   raceconditions,
    $TIGER_HOME/tmp should be created  by default and $WORKDIR  in the
    config file set to it.  See below for a patch.  NOTE:  This is not
    the  best  approach  as  many  people  run Tiger off of R/O floppy
    diskettes, and this won't work  in that situation.  As  an interim
    solution, the user should create a scratch directory  specifically
    for Tiger, R/W only by root (there is no reason for anyone else to
    be able  to read  the directory).   Set WORKDIR  to point  to this
    directory.  `/var/spool/tiger' would probably be reasonable.

SOLUTION

    As for fix for SATAN, change the tmp_file= line to

        tmp_file=./rex.$$

    That's how it's done in the other scripts needing temporary files.
    Note  that  the  rex  vulnerability  check  is  not enabled in the
    standard configuration. You have  to change the satan.cf  file for
    that,  so  we  can  assume  that  95% of the installations are not
    concerned.  Satan is out of date anyway, a new version will hit us
    someday in the future.  You can check out the SAINT page at too:

        http://www.wwdsi.com/saint

    COPS PATCH:
    There's no reason to run COPS as root

    --- res_diff.orig       Thu Jun 18 09:54:39 1998
    +++ res_diff    Thu Jun 18 10:02:06 1998
    @@ -38,16 +38,24 @@
            fi

     # has anything changed?
    -$AWK 'NR > 5' $old_file > /tmp/tmp.$$.foo
    -$AWK 'NR > 5' $2 > /tmp/tmp.$$.bar
    +umask 077
    +mkdir /tmp/cops-res_diff.$$ || {
    +       echo "can't create /tmp/cops-res_diff.$$ - possible attack, aborting."
    +       exit 1
    +}
    +TMP_FOO="/tmp/cops-res_diff.$$/tmp.$$.foo"
    +TMP_BAR="/tmp/cops-res_diff.$$/tmp.$$.bar"

    -if $TEST -n "$DIFF /tmp/tmp.$$.foo /tmp/tmp.$$.bar" ; then
    -       $RM -f /tmp/tmp.$$.foo /tmp/tmp.$$.bar
    +$AWK 'NR > 5' $old_file > $TMP_FOO
    +$AWK 'NR > 5' $2 > $TMP_BAR
    +
    +if $TEST -n "$DIFF $TMP_FOO $TMP_BAR" ; then
    +       $RM -f $TMP_FOO $TMP_BAR
            $ECHO There is a difference....
            exit 1
            fi

    -$RM -f /tmp/tmp.$$.foo /tmp/tmp.$$.bar
    +$RM -rf /tmp/cops-res_diff.$$
     # echo There is no difference....
     exit 0
     # end
    --- extra_src/mail.chk.orig     Thu Jun 18 09:55:02 1998
    +++ extra_src/mail.chk  Thu Jun 18 10:01:52 1998
    @@ -19,10 +19,14 @@
     RM=/bin/rm
     MAILDIR=/var/spool/mail
     #
    -PROG="/usr/tmp/mchk.p$$"
    -TEMP="/usr/tmp/mchk.t$$"
    -#
     umask 077
    +mkdir /usr/tmp/cops-mail.chk.$$ || {
    +       echo "can't create /usr/tmp/cops-mail.chk.$$ - possible attack, aborting"
    +       exit 1
    +}
    +PROG="/usr/tmp/cops-mail.chk.$$/mchk.p$$"
    +TEMP="/usr/tmp/cops-mail.chk.$$/mchk.t$$"
    +#
     #
     # Unpack the awk script from a "hereis".
     # The script reports files with bad permissions or where filename !=
    @@ -45,5 +49,5 @@
     fi
     #
     # Clean up.
    -$RM -f $TEMP $PROG
    +$RM -rf /usr/tmp/cops-mail.chk.$$
     exit 0
    --- checkacct/ca.src.orig       Thu Jun 18 09:54:51 1998
    +++ checkacct/ca.src    Thu Jun 18 10:08:20 1998
    @@ -351,12 +351,19 @@
     #
     # define the waiting routine that prints those neat dots
     #
    +umask 077
    +mkdir /tmp/cops-ca.src.$$ || {
    +       echo "can't create /tmp/cops-ca.src.$$ - aborting"
    +       exit 1
    +}
    +
     make_dots='
     if [ ${VERBOSE} -eq 1 ]; then
    -       (touch /tmp/makedots${THISSHELL};while [ -f
    /tmp/makedots${THISSHELL} ]; do echownl(%.^); sleep 1; done)& 2>&1
    +        touch /tmp/cops-ca.src.$$/makedots${THISSHELL};while [ -f
    /tmp/cops-ca.src.$$/makedots${THISSHELL} ];
    +       do echownl(%.^); sleep 1; done)& 2>&1 >/dev/null;
     fi;'

    -stop_dots='sleep 1; /bin/rm -rf /tmp/makedots${THISSHELL};'
    +stop_dots='sleep 1; /bin/rm -f /tmp/cops-ca.src.$$/makedots${THISSHELL};'

     if [ 1 -eq $VERBOSE ]; then

    @@ -542,6 +549,7 @@
     fi;

     %eval^ $stop_dots
    +rm -rf /tmp/cops-ca.src.$$

     if [ ${VERBOSE} -eq 1 ]; then
            echo "Step 3 complete."

    TIGER PATCH:

    --- config.orig Thu Jun 18 09:43:22 1998
    +++ config      Thu Jun 18 09:50:59 1998
    @@ -12,9 +12,6 @@
     #-----------------------------------------------------------------------------
     #
     # space, tab, newline
    -TigerLogDir='.'
    -TigerWorkDir='/tmp'
    -TigerBinDir='$BASEDIR/bin'

     checkfile()
     {
    @@ -53,8 +50,17 @@
         BASEDIR='.'
       fi

    +TigerLogDir='.'
    +TigerWorkDir="$BASEDIR/tmp"
    +TigerBinDir='$BASEDIR/bin'
    +
    +[ -d $TigerWorkDir ] || mkdir $TigerWorkDir || {
    +        echo "can't create TigerWorkDir!"
    +        exit 1
    +}
    +
       LOGDIR=${TigerLogDir:=.}
    -  WORKDIR=${TigerWorkDir:=${TMPDIR:=/tmp}}
    +  WORKDIR=${TigerWorkDir:=${TMPDIR:=$BASEDIR/tmp}}
       EXPLAINREPORT=N
       SERVERCHECK=N
       Tiger_TESTMODE=N