5384254 2000-08-21 20:36 /71 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12315>
Ärende: Helix Code Security Advisory - Helix GNOME Update
------------------------------------------------------------
From: "Helix Code, Inc." <security@HELIXCODE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <200008200739.DAA25668@trna.helixcode.com>
HELIX CODE, INC. SECURITY ADVISORY
security@helixcode.com Issue Date: 20 Aug 2000
PACKAGES AFFECTED:
Helix GNOME Updater (helix-update), versions 0.1 through 0.5
SYNOPSIS: A vulnerability in Helix GNOME Update allow non-root users
to exploit world-writable permissions on /tmp, permitting arbitrarily
modified RPM packages to be installed on the system.
DESCRIPTION: A directory called /tmp/helix-install is used to store
downloaded RPM packages to be installed. If that directory was
created by a malicious non-root user prior to root launching the
application, the malicious user could place arbitrary RPM packages in
that directory which could be installed and used to compromise the
security of the system.
SOLUTION: A new version of the Helix GNOME Updater (0.6) has been
released. This new version fixes this vulnerability by storing
downloaded files in /var/cache/helix-install, which is writable only
by root.
AVAILABILITY: New versions of the Helix GNOME Updater are available
immediately from Helix Code, Inc.
A list of supported distributions, platforms and versions can be
found at http://www.helixcode.com/desktop/download.php3.
For Caldera OpenLinux eDesktop systems:
http://spidermonkey.helixcode.com/distributions/Caldera-2.4/helix-update-0.6-0_helix_2.i386.rpm
For LinuxPPC systems:
http://spidermonkey.helixcode.com/distributions/LinuxPPC/helix-update-0.6.0_helix_2.ppc.rpm
For Linux Mandrake systems:
http://spidermonkey.helixcode.com/distributions/Mandrake/helix-update-0.6-0mdk_helix_2.i586.rpm
For Red Hat Linux systems:
http://spidermonkey.helixcode.com/distributions/RedHat-6/helix-update-0.6-0_helix_2.i386.rpm
For Solaris systems:
http://spidermonkey.helixcode.com/distributions/Solaris/helix-update-0.6-0_helix_1.sparc64.rpm
For SuSE 6.3 systems:
http://spidermonkey.helixcode.com/distributions/SuSE/hupdate-0.6-0_helix_2.i386.rpm
For SuSE 6.4 systems:
http://spidermonkey.helixcode.com/distributions/SuSE-6.4/hupdate-0.6-0_helix_2.i386.rpm
For TurboLinux systems:
http://spidermonkey.helixcode.com/distributions/TurboLinux-6/helix-update-0.6-0_helix_3.i386.rpm
VERIFICATION: cebf0dfee4b6e3863d6accf18323f143
Caldera-2.4/helix-update-0.6-0_helix_2.i386.rpm
a72044ce71275aafb1aad39efc72abae
LinuxPPC/helix-update-0.6-0_helix_2.ppc.rpm
80facf4bc809e462c428a004b0940247
Mandrake/helix-update-0.6-0mdk_helix_2.i586.rpm
0d50980e0206ae3d22364879fc64bb61
RedHat-6/helix-update-0.6-0_helix_2.i386.rpm
1eec4c82ba6a9c7cc2f5645cbcaa5f66
Solaris/helix-update-0.6-0_helix_1.sparc64.rpm
410a4958c95b4426f711d0e5ffae7fb4 SuSE/hupdate-0.6-0_helix_2.i386.rpm
cd5c18a4c9be10c6c311e8785408e6ec
SuSE-6.4/hupdate-0.6-0_helix_2.i386.rpm
c539209a2b2f2ab514126964cfaddda1
TurboLinux-6/helix-update-0.6-0_helix_3.i386.rpm
Copyright (C) 2000 Helix Code, Inc.
(5384254) ------------------------------------------(Ombruten)
5384801 2000-08-21 22:17 /75 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12323>
Ärende: Multiple Local Vulnerabilities in Helix Gnome Installer
------------------------------------------------------------
From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <E13QAYl-0007il-00@the-village.bc.nu>
Multiple Vulnerabilities In Helix Gnome Installer 0.2
VULNERABILITIES:
The Helix installer contains multiple locally exploitable
vulnerabilities.
1. Several of the gdmify functions are vulnerable to attack because
they use system and /tmp in unsafe manners
> SuSE and Caldera
A mkdir of the right path by any user prior to root running the Helix
Installer will blank real config files losing parts of the users
system configuration.
> Other
The other cases appear safe basically by chance.
2. The downloader tries to use a /tmp/helix_install directory, which
at first seems a good idea. Unfortunately
rc = mkdir(download_dir, 0600);
if (rc < 0) {
if (errno != EEXIST) {
error_box(g_strdup_printf("Helix GNOME Update was
exit(1);
}
}
In other words, if I get there first and create a mode 777 directory
the Helix user may end up installing arbitarily modified packages
from a local attacker.
3. When the user quits the updater the updating code on the version
inspected attempts to delete the files in the download directory.
Unfortunately due to an elementary coding error it deletes each file
in the download directory with a corresponding file in /var/tmp
Bugs 2 and 3 combine to allow any hostile local user to make the user
of the Helix Updater delete arbitary files.
There are other potential holes in the check_rpm code but these
depend on the XML database file fetched from helixcode.com being
compromised. It would appear possible to create a remote exploit
based on DNS spoofing to feed such a tampered XML file to the
Installer but this would be an extremely tricky stunt and has not
been attempted.
Oddly enough given these errors the usual buffer overrun bugs appear
absent. The authors make religious use of glib safe string
functionality.
WORKAROUND:
Firstly if you have no untrusted users on the machine you need not
worry about bugs 1-3. This means the majority of users need not
worry. If you have untrusted users you should set the download
directory rather than use the tmp default. A user will be able to
delete arbitary files in the directory you use but this can be a new
empty directory so this is an acceptable workaround.
Be sure to also change the download directory in instances of the
updater run from cron or at.
NOTES:
Helixcode were notified about this on the 7th August.
(5384801) ------------------------------------------(Ombruten)
5385037 2000-08-21 23:27 /59 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12332>
Ärende: [Helix Beta] Helix Code Security Advisory - Helix GNOME Installer
------------------------------------------------------------
From: Joe Shaw <joe@HELIXCODE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.21.0008200308330.23120@trna.helixcode.com>
HELIX CODE, INC. SECURITY ADVISORY
security@helixcode.com Issue Date: 20 Aug 2000
PACKAGES AFFECTED:
Helix GNOME Installer, versions 0.1 through 0.5
SYNOPSIS: Vulnerabilities in the Helix GNOME Installer allow non-root
users to exploit world-writable permissions on /tmp to damage a
system's configuration files or install arbitrarily modified RPM
packages.
DESCRIPTION: Temporary copies of the /etc/config.d/bashrc,
/etc/config.d/csh.cshrc, and /etc/rc.d/rc.gui files on Caldera
OpenLinux eDesktop 2.4 and /etc/rc.config on SuSE 6.3 and 6.4 are
stored in the /tmp directory, modified, and moved back into their
original locations. A mkdir of the right path by any user prior to
root running the Helix GNOME Installer can result in a system's
configuration files being lost.
Furthermore, a directory called /tmp/helix-install is used to
download packages to be installed. If that directory was created by a
malicious non-root user, arbitrarily placed packages could be
installed onto the system.
SOLUTION: A new version of the Helix GNOME Installer (0.6) has been
released. This new version fixes both vulnerabilities. The first is
solved by making backups of the system files in the same directory
from which they came, and doing the operation on these files
in-place. The second is solved by moving the default download
directory to /var/cache/helix-install, which is writable only by root.
AVAILABILITY: New versions of the Helix GNOME Installer are available
immediately from Helix Code, Inc.
A list of supported systems can be found at
http://www.helixcode.com/desktop/download.php3.
For supported i386 systems:
http://spidermonkey.helixcode.com/installer-latest-intel.gz
For supported PPC systems:
http://spidermonkey.helixcode.com/installer-latest-ppc.gz
For supported UltraSparc Solaris systems:
http://spidermonkey.helixcode.com/installer-latest-solaris.Z
VERIFICATION:
d6b369c223fd9e460581f92fba64d3b8 installer-latest-intel.gz
9223cae466e44a3627fc9be492a83c62 installer-latest-ppc.gz
61119233e77b4d5e2deb7989e79a1f0b installer-latest-solaris.Z
Copyright (C) 2000 Helix Code, Inc.
(5385037) ------------------------------------------(Ombruten)