Advisories : Insecure call of external programs in Red Hat Linux tmpwatch

main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
discussions
- read forum
- new topic
- search
meetings
- meetings list
- recent additions
- add your info
top 100 sites
- visit top sites
- sign up now
- members
webmasters
- add your url
- add domain
- search box
- link to us
projects
- our projects
- free email
m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Insecure call of external programs in Red Hat Linux tmpwatch
Title:	Insecure call of external programs in Red Hat Linux tmpwatch
Released by:	ISS
Date:	6th October 2000
Printable version:	Click here
-----BEGIN PGP SIGNED MESSAGE-----



Internet Security Systems Security Advisory

October 6, 2000



Insecure call of external programs in Red Hat Linux tmpwatch



Synopsis:



The tmpwatch utility is used in Red Hat Linux to remove temporary files. This

utility has an option to call the "fuser" program, which verifies if a file is

currently opened by a process. The fuser program is invoked within tmpwatch by

calling the system() library subroutine. Insecure handling of the arguments to

this subroutine could potentially allow an attacker to execute arbitrary

commands.



Impact:



This vulnerability may allow local attackers to compromise superuser access if

tmpwatch is used by the administrator in a non-default manner.



Affected Versions:



Red Hat Linux 7.0 (tmpwatch v2.5.1)

Red Hat Linux 6.2 (tmpwatch v2.2)



Use the 'rpm -q tmpwatch' command to verify which version is installed. The

tmpwatch package as well as the package containing fuser are included in the

default base installation. By default, tmpwatch with the fuser option is not

used in any package shipped with the Red Hat distributions.



Description:



The tmpwatch tool removes files that have not been modified or accessed within

a specified amount of time. It was designed to securely remove files by

avoiding typical race condition vulnerabilities. System administrators usually

run this tool periodically to remove old temporary files in world-writeable

directories.



The tmpwatch tool uses the --fuser or -s options to avoid removing a file that

is in an open state in another process.  This option uses the system() library

subroutine to call the external program /sbin/fuser with the file name being

examined as an argument.  The system() subroutine spawns a shell to execute the

command.  An attacker may create a file name containing shell metacharacters,

which could allow them to execute arbitrary commands if tmpwatch with the

fuser option is used to remove the file.



Source code comparison between the Red Hat Linux 6.2 and 7.0 tmpwatch packages

suggests this vulnerability was recognized and a fix was attempted. However,

the fix is incorrect, and the vulnerability is still exploitable.



Recommendations:



Do not use the --fuser or -s options with tmpwatch.



Red Hat has issued the following RPMs that contain fixes for this

vulnerability.



Red Hat Linux 6.2:



alpha:

http://updates.redhat.com/6.2/alpha/tmpwatch-2.6.2-1.6.2.alpha.rpm



sparc:

http://updates.redhat.com/6.2/sparc/tmpwatch-2.6.2-1.6.2.sparc.rpm



i386:

http://updates.redhat.com/6.2/i386/tmpwatch-2.6.2-1.6.2.i386.rpm



sources:

http://updates.redhat.com/6.2/SRPMS/tmpwatch-2.6.2-1.6.2.src.rpm



Red Hat Linux 7.0:



i386:

http://updates.redhat.com/7.0/i386/tmpwatch-2.6.2-1.7.i386.rpm



sources:

http://updates.redhat.com/7.0/SRPMS/tmpwatch-2.6.2-1.7.src.rpm



Verification:



MD5 sum                           Package Name

- --------------------------------------------------------------------------

b8a670944cc54fd39c9eefb79f147ec1  6.2/SRPMS/tmpwatch-2.6.2-1.6.2.src.rpm

39fe4fbf666e5f9a40503134c05046d8  6.2/alpha/tmpwatch-2.6.2-1.6.2.alpha.rpm

84609abc355fde23ce878e4d310766f8  6.2/i386/tmpwatch-2.6.2-1.6.2.i386.rpm

f4625e9bc27af011a614eaa146586917  6.2/sparc/tmpwatch-2.6.2-1.6.2.sparc.rpm

b1a9201c44a5f921209c9b648ba85ada  7.0/SRPMS/tmpwatch-2.6.2-1.7.src.rpm

8acf394469c47a98fcc589dd0d73b98c  7.0/i386/tmpwatch-2.6.2-1.7.i386.rpm



These packages are GPG signed by Red Hat, Inc. for security.  Red Hat's key

is available at:

    http://www.redhat.com/corp/contact.html



You can verify each package with the following command:

    rpm --checksig  



If you only wish to verify that each package has not been corrupted or

tampered with, examine only the md5sum with the following command:

    rpm --checksig --nogpg 





Developer Recommendations:



If an external program needs to be called within a process, try to avoid the

system() subroutine. Use the execve() subroutine instead.  See the Secure

UNIX Programming FAQ for details:



http://www.whitefang.com/sup/secure-faq.html#INPUT3



Additional Information:



The Common Vulnerabilities and Exposures (CVE) project has assigned the Name

CAN-2000-0816 to this issue. This is a candidate for inclusion in the CVE

list http://cve.mitre.org, which standardizes names for security problems.



Credits:



This vulnerability was discovered and researched by Allen Wilson and Aaron

Campbell of the ISS X-Force.



The vendor contact in regards to this vulnerability was performed with the

help of the SecurityFocus.com Vulnerability Help Team. For more

information or assistance drafting advisories please mail

vulnhelp@securityfocus.com.



_____



About Internet Security Systems (ISS)

Internet Security Systems (ISS) is a leading global provider of security

management solutions for the Internet. By providing industry-leading

SAFEsuite security software, remote managed security services, and

strategic consulting and education offerings, ISS is a trusted security

provider to its customers, protecting digital assets and ensuring safe

and uninterrupted e-business. ISS' security management solutions protect

more than 5,500 customers worldwide including 21 of the 25 largest U.S.

commercial banks, 10 of the largest telecommunications companies and

over 35 government agencies. Founded in 1994, ISS is headquartered in

Atlanta, GA, with additional offices throughout North America and

international operations in Asia, Australia, Europe, Latin America and

the Middle East. For more information, visit the Internet Security

Systems web site at www.iss.net or call 888-901-7477.



Copyright (c) 2000 by Internet Security Systems, Inc.



Permission is hereby granted for the redistribution of this Alert

electronically. It is not to be edited in any way without express

consent of the X-Force. If you wish to reprint the whole or any part of

this Alert in any other medium excluding electronic medium, please

e-mail xforce@iss.net for permission.



Disclaimer



The information within this paper may change without notice. Use of this

information constitutes acceptance for use in an AS IS condition. There

are NO warranties with regard to this information. In no event shall the

author be liable for any damages whatsoever arising out of or in

connection with the use or spread of this information. Any use of this

information is at the user's own risk.



X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well

as on MIT's PGP key server and PGP.com's key server.



Please send suggestions, updates, and comments to: X-Force

xforce@iss.net of Internet Security Systems, Inc.





-----BEGIN PGP SIGNATURE-----

Version: 2.6.3a

Charset: noconv



iQCVAwUBOd5lczRfJiV99eG9AQFcWwQAje1iGLZa2YWJ+i8dDm8MvJa64F1+ABb3

G0EuESss5yQw8FV1XO7r8JfjU9UndMNg1i7r5xmWCbUIXuP5M6EHsITubt6qoRy+

UyyEKpQs6t7Gixxs4rVdc+ztdxV2nARvPzorZUBAthPn7lDbPWDTVYpzubgbW7Pq

Lto9f6L0w6c=

=6aRu

-----END PGP SIGNATURE-----