COMMAND
satan, cops & tiger
SYSTEMS AFFECTED
Some systems with satan, cops & tiger
PROBLEM
Marc Heuse found following /tmp race conditions in the popular
security programs cops 1.04, satan 1.1.1 and tiger 2.2.3 ... All
the following bugs can be used to create or overwrite any file on
the system, because these applications run usually under the root
id. Therefore a denial-of-service and depending on the system
configuration (and 'luck') a root compromise possible.
Satan v1.1.1
============
in the file bin/rex.satan:
tmp_file=/tmp/rex.$$
trap "$RM -f $tmp_file; exit" 0 1 2 3 15
[... several lines later ...]
$REX -a 1,1,1 $target date >$tmp_file 2>/dev/null
Cops v1.04
==========
in the file res_diff:
$AWK 'NR > 5' $old_file > /tmp/tmp.$$.foo
$AWK 'NR > 5' $2 > /tmp/tmp.$$.bar
in the file checkacct/ca.src:
(touch /tmp/makedots${THISSHELL};while [ -f /tmp/makedots${THISSHELL} ]; do
echownl(%.^); sleep 1; done)& 2>&1 >/dev/null;
touch follows this symlink -> any file can be created on the
system (what would be a nice attack for this? .nologin for dos?)
in the file extra_src/mail.chk:
PROG="/usr/tmp/mchk.p$$"
TEMP="/usr/tmp/mchk.t$$"
[...]
$RM -f $PROG
cat <<'EndOfProg' >$PROG
[...]
$RM -f $TEMP
$LS -lag | $AWK -f $PROG >$TEMP
Tiger v2.2.3
============
The $WORKDIR of tiger 2.2.3 is set to /tmp and many temporary
files are being written there (it would exeed all limits to
mention all the lines). To prevent the raceconditions,
$TIGER_HOME/tmp should be created by default and $WORKDIR in the
config file set to it. See below for a patch. NOTE: This is not
the best approach as many people run Tiger off of R/O floppy
diskettes, and this won't work in that situation. As an interim
solution, the user should create a scratch directory specifically
for Tiger, R/W only by root (there is no reason for anyone else to
be able to read the directory). Set WORKDIR to point to this
directory. `/var/spool/tiger' would probably be reasonable.
SOLUTION
As for fix for SATAN, change the tmp_file= line to
tmp_file=./rex.$$
That's how it's done in the other scripts needing temporary files.
Note that the rex vulnerability check is not enabled in the
standard configuration. You have to change the satan.cf file for
that, so we can assume that 95% of the installations are not
concerned. Satan is out of date anyway, a new version will hit us
someday in the future. You can check out the SAINT page at too:
http://www.wwdsi.com/saint
COPS PATCH:
There's no reason to run COPS as root
--- res_diff.orig Thu Jun 18 09:54:39 1998
+++ res_diff Thu Jun 18 10:02:06 1998
@@ -38,16 +38,24 @@
fi
# has anything changed?
-$AWK 'NR > 5' $old_file > /tmp/tmp.$$.foo
-$AWK 'NR > 5' $2 > /tmp/tmp.$$.bar
+umask 077
+mkdir /tmp/cops-res_diff.$$ || {
+ echo "can't create /tmp/cops-res_diff.$$ - possible attack, aborting."
+ exit 1
+}
+TMP_FOO="/tmp/cops-res_diff.$$/tmp.$$.foo"
+TMP_BAR="/tmp/cops-res_diff.$$/tmp.$$.bar"
-if $TEST -n "$DIFF /tmp/tmp.$$.foo /tmp/tmp.$$.bar" ; then
- $RM -f /tmp/tmp.$$.foo /tmp/tmp.$$.bar
+$AWK 'NR > 5' $old_file > $TMP_FOO
+$AWK 'NR > 5' $2 > $TMP_BAR
+
+if $TEST -n "$DIFF $TMP_FOO $TMP_BAR" ; then
+ $RM -f $TMP_FOO $TMP_BAR
$ECHO There is a difference....
exit 1
fi
-$RM -f /tmp/tmp.$$.foo /tmp/tmp.$$.bar
+$RM -rf /tmp/cops-res_diff.$$
# echo There is no difference....
exit 0
# end
--- extra_src/mail.chk.orig Thu Jun 18 09:55:02 1998
+++ extra_src/mail.chk Thu Jun 18 10:01:52 1998
@@ -19,10 +19,14 @@
RM=/bin/rm
MAILDIR=/var/spool/mail
#
-PROG="/usr/tmp/mchk.p$$"
-TEMP="/usr/tmp/mchk.t$$"
-#
umask 077
+mkdir /usr/tmp/cops-mail.chk.$$ || {
+ echo "can't create /usr/tmp/cops-mail.chk.$$ - possible attack, aborting"
+ exit 1
+}
+PROG="/usr/tmp/cops-mail.chk.$$/mchk.p$$"
+TEMP="/usr/tmp/cops-mail.chk.$$/mchk.t$$"
+#
#
# Unpack the awk script from a "hereis".
# The script reports files with bad permissions or where filename !=
@@ -45,5 +49,5 @@
fi
#
# Clean up.
-$RM -f $TEMP $PROG
+$RM -rf /usr/tmp/cops-mail.chk.$$
exit 0
--- checkacct/ca.src.orig Thu Jun 18 09:54:51 1998
+++ checkacct/ca.src Thu Jun 18 10:08:20 1998
@@ -351,12 +351,19 @@
#
# define the waiting routine that prints those neat dots
#
+umask 077
+mkdir /tmp/cops-ca.src.$$ || {
+ echo "can't create /tmp/cops-ca.src.$$ - aborting"
+ exit 1
+}
+
make_dots='
if [ ${VERBOSE} -eq 1 ]; then
- (touch /tmp/makedots${THISSHELL};while [ -f
/tmp/makedots${THISSHELL} ]; do echownl(%.^); sleep 1; done)& 2>&1
+ touch /tmp/cops-ca.src.$$/makedots${THISSHELL};while [ -f
/tmp/cops-ca.src.$$/makedots${THISSHELL} ];
+ do echownl(%.^); sleep 1; done)& 2>&1 >/dev/null;
fi;'
-stop_dots='sleep 1; /bin/rm -rf /tmp/makedots${THISSHELL};'
+stop_dots='sleep 1; /bin/rm -f /tmp/cops-ca.src.$$/makedots${THISSHELL};'
if [ 1 -eq $VERBOSE ]; then
@@ -542,6 +549,7 @@
fi;
%eval^ $stop_dots
+rm -rf /tmp/cops-ca.src.$$
if [ ${VERBOSE} -eq 1 ]; then
echo "Step 3 complete."
TIGER PATCH:
--- config.orig Thu Jun 18 09:43:22 1998
+++ config Thu Jun 18 09:50:59 1998
@@ -12,9 +12,6 @@
#-----------------------------------------------------------------------------
#
# space, tab, newline
-TigerLogDir='.'
-TigerWorkDir='/tmp'
-TigerBinDir='$BASEDIR/bin'
checkfile()
{
@@ -53,8 +50,17 @@
BASEDIR='.'
fi
+TigerLogDir='.'
+TigerWorkDir="$BASEDIR/tmp"
+TigerBinDir='$BASEDIR/bin'
+
+[ -d $TigerWorkDir ] || mkdir $TigerWorkDir || {
+ echo "can't create TigerWorkDir!"
+ exit 1
+}
+
LOGDIR=${TigerLogDir:=.}
- WORKDIR=${TigerWorkDir:=${TMPDIR:=/tmp}}
+ WORKDIR=${TigerWorkDir:=${TMPDIR:=$BASEDIR/tmp}}
EXPLAINREPORT=N
SERVERCHECK=N
Tiger_TESTMODE=N