Date: Mon, 16 Feb 2004 16:49:53 +0100
From: "Dr. Peter Bieringer" <pbieringer@aerasec.de>
To: bugtraq@securityfocus.com
Subject: Possible race condition in Symantec AntiVirus Scan Engine for Red Hat Linux during LiveUpdate
Cc: full-disclosure@lists.netsys.com
Hi,
during evaluation of Symantec AntiVirus Scan Engine for Red Hat Linux=20
(file: Scan_Engine_430-RedHat-1.zip) we found a race condition using=20
default configuration.
Like written in "Implementation_Guide.pdf" on page 134 LiveUpdate can be=20
triggered by cron via a shell script:
# /opt/SYMCScan/bin/liveupdate.sh -virusdefs
or
# /bin/sh /opt/SYMCScan/bin/liveupdate.sh -virusdefs
This will create a log file in /tmp with a very predictable name:
"/tmp/LiveUpdate.log" (with permissions of 644)
# ll /tmp/
-rw-r--r-- 1 symantec avdefs 4517 Feb 16 15:05 LiveUpdate.log
This is defined in the config file "liveupdate.conf":
# cat /etc/liveupdate.conf
protocol=3Dhttp
host=3Dliveupdate.symantec.com
workdir=3D/tmp
logfile=3D/tmp/LiveUpdate.log <---!!!!!!
Impact:
Before first run of LiveUpdate (like suggested in doc, user "symantec" does =
this) a possible race condition via a symlink attack by another user will=20
result in the creation of a new file (as user "symantec") or appending=20
LiveUpdate log to an existent file (owned by user "symantec").
Additional *important* note:
Because the PDF document doesn't match the as-it-is of the installation (an =
user "symantec" can't execute liveupdate.sh" without adjusting the=20
permissions of the shell script and the directory "virusdefs") it's very=20
possible, that admins configure the crontab entry for "liveupdate.sh" as=20
user "root"!
# ll /opt/SYMCScan/bin/liveupdate.sh
-rwxr-x--- 1 root root 14700 Feb 16 16:16=20
/opt/SYMCScan/bin/liveupdate.sh
# ll /opt/SYMCScan |grep virusdefs
drwxr-xr-x 2 root root 4096 Feb 16 16:16 virusdefs
BTW: The installer uses PID for tmp directory naming, another minor =
issue...
# ll /tmp/
drwxr-xr-x 2 root root 4096 Feb 16 15:47 symcinst9918
# ps -ax | grep 9918
9918 pts/0 S 0:02 sh ./ScanEngine.sh
-> fix to a unpredictable name
BTW2: looks like a temp directory during install has always the same name.
# ll /tmp/
drwx------ 2 root root 4096 Feb 16 16:16 savsetmp
-> fix to a unpredictable name
BTW3: temporary directory during LiveUpdate run has permissions 755
# ll /tmp/
drwxr-xr-x 2 root root 4096 Feb 16 16:37 1076967476267
-> fix permissions to at least 750, perhaps it's also not the best method=20
to use Unix time in milliseconds to name this directory.
Suggestions/workarounds:
* for the software vendor:
use a better default value, e.g.
logfile=3D/var/log/LiveUpdate.log
Fix permissions of log file to at least 640
Fix PDF document or/and permissions for
liveupdate.sh and directory virusdefs
(and on RHL systems: "/usr/bin/sh" doesn't exist, fix to "/bin/sh")
Fix predictable directory names during installation
Fix permissions of temp directory during LiveUpdate run to at least 750
Fix name of temp directory to a more unpredictable one
* for administrators:
adjust config file before first run of the LiveUpdate process
adjust permissions of
liveupdate.sh and directory virusdefs
and run liveupdate.sh as non-root user
Regards,
Dr. Peter Bieringer
--=20
Dr. Peter Bieringer Phone: +49-8102-895190
AERAsec Network Services and Security GmbH Fax: +49-8102-895199
Wagenberger Stra=DFe 1 Mobile: +49-174-9015046
D-85662 Hohenbrunn E-Mail: pbieringer@aerasec.de
Germany Internet: http://www.aerasec.de
