Date: Tue, 12 Feb 2002 09:46:39 -0500
From: dendler@idefense.com
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org
Subject: Astaro Security Linux Improper File Permissions Flaw
Cc: mhennig@astaro.com
iDEFENSE Intelligence Operations discovered security
issues in improper file and directory permissions
during an audit of Astaro AG's Astaro Linux. Astaro
Linux designates a number of files and directories as
world writeable that should probably not be. This,
combined with other more serious flaws, could
potentially result in system compromise or denial of
service.
Astaro AG bills its Linux packages as "Security Linux."
Analysis: World writeable files and directories are
dangerous because any user on the system, even one
running in a restricted account such as "nobody" can
access the files, write to them, and potentially delete
them. World writeable directories can be especially
dangerous when they are used to store files covertly.
Any directories and files contained within the world
writeable directory can potentially be modified.
Several sensitive configuration files and directories
are world writeable, meaning an attacker with any level
of access to the root file system could cause damage or
subvert the services/applications relying on those
files.
The following files are world writeable:
∙ /etc/protocols
∙ /etc/ssh/ssh_host_dsa_key.pub
∙ /etc/ssh/ssh_host_key.pub
It is unknown whether or not the following files need
to be world writeable for the system to function
properly, but it appears safe to remove the world
writeable attribute:
∙ /etc/up2date/latest_md5sum
∙ /wtc/wfe/conf/console
∙ /wtc/wfe/conf/nameserver
∙ /wtc/wfe/conf/netzkartendata
∙ /var/log/account/timestamp
Astaro Linux also contains a number of world writeable
directories:
∙ /var
∙ /etc/up2date/lib1
∙ /etc/up2date/lib2
In general, the /var directory should not be world
writeable on any *nix system since by filling up the
associated partition, an attacker may prevent log files
from being written to hide his activity.
Detection: Finding world writeable files and
directories is easy, simply use the "find" command:
find / -type d -perm +002
find / -type f -perm +002
These commands will list all world writeable
directories and files respectively. Some of the
directories, such as /tmp, are meant to be world
writeable, and leaving them as such is relatively safe.
Workaround: Removing the world writeable bit on the
files can be accomplished using chmod:
chmod o-w filename
This will work for both files and directories.
Vendor Response: Markus Hennig of Astaro
<mhennig@astaro.com> promptly confirmed the incorrect
file permissions and worked with us responsibly to
resolve these issues. The latest Up2Date 2.022 fixes
the file permissions, which is now currently available
on Astaro Up2Date servers.
-dave
David Endler, CISSP
Director, iDEFENSE Labs
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071
dendler@idefense.com
www.idefense.com
