Date: Fri, 30 Jul 1999 23:59:03 +0200
From: smaster@sail.it
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: World writable root owned script in SalesBuilder (RedHat 6.0)
SPJ-001-000:
.::::::::+[ s0ftpr0ject 99 ]+::::::::.
::::+[ Digital Security for Y2K ]+::::
:::'"""`"'"""`"'"""`"'"""`"'"`"'""`:::
::'.g#S$"$S#n. .g#S$"$S#n. S#n.`::
:: $$$$$ $$$$$ $$$$$ $$$$$ $$$$ ::
:: $$$$$ $$$$$ $$$$$ $$$$ ::
:: `$$$$$$$$$n $$$$$ $$$$$ $$$$ ::
:: $$$$$ $$$$$s$$$$' $$$$ ::
:: $$$$$ $$$$$ $$$$$ $$$$$ $$$$ ::
:: `$$$$s$$$S' `$$$$ `$$$$s$$S' ::
:::...........:.....:::::..........:::
:::+[ Security Advisory, 001-000 ]+:::
`::::::::+[ July 12, 1999 ]+:::::::::'
World Writable File in SalesBuilder
by |scacco| <scacco@s0ftpj.org>
---[ Systems affected ]-------------------------------------------------------
All systems running Acushop SalesBuilder.
---[ Condition of discovery ]-------------------------------------------------
This bug was discovered installing software from the application cd shipped
with RedHat Linux 6.0 as root.
---[ Detailed description ]---------------------------------------------------
The startup file .sbstart linked from /usr/bin/salesbuilder and
/usr/local/bin/salesbuilder is set world writable so anyone can add code
to it and possibly get root locally. .sbstart can be found (after
installing it from RedHat application cd) at /usr/local/bin/acushop/.sbstart.
If this application was installed as root you will see this permission
set:
-rwxrwxrwx 1 root root 163 Jun 29 19:45 .sbstart
Seems it can be executed and write by everyone. Someone can simply add a line
line echo "r00t::0:0::/root:/bin/sh" >> /etc/passwd or make a script executed
with root uid and gid.
Note that this file is set hidden using . as prefix so modifications are
really hard to discover from a not-so expert system administrator.
---[ Exploitation ]-----------------------------------------------------------
Just edit the file with a normal text editor like vi, joe, pico or emacs and
add a line like:
echo "r00t::0:0::/root:/bin/sh" >> /etc/passwd
Of course there are many ways to get this hole usable, you can figure out how.
---[Possible fixes ]----------------------------------------------------------
Possible fix is to install this software not as root, and if it necessary
do not set it world writable. Acushop was advised of this vulnerability but
seemed not really interested in security.
---[ URLs and references ]----------------------------------------------------
Acushop Sales Builder can be found at http://www.acushop.com.
---[ Contact informations ]---------------------------------------------------
s0ftpr0ject 99 - Digital security for Y2K (s0ftpj)
no-profit security research
Internet site: http://www.s0ftpj.org
E-mail : advisory@s0ftpj.org
: staff@s0ftpj.org
All advisories and security documents are available via http at:
http://www.s0ftpj.org (195.32.69.44) courtesy of Metro Olografix
http://www.olografix.org (195.32.69.44)
This document has no copyright, feel free to distribute it without any
limitation. Original copy of this document can be found at out Internet site
for free. You are not allowed to modify this paper without prior notify to
s0ftpr0ject staff at staff@s0ftpj.org.
---[ s0ftpr0ject 99 staff Public PGP Key ]------------------------------------
Type Bits/KeyID Date User ID
pub 2600/15A01BB9 1999/07/22 S0ftPj Staff <staff@s0ftpj.org>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i
mQFSAzeXNL8AAAEKKNzvok6FkB24mQUEx5Q4SZ97dQlmx3yNeEvG7aJ/0TDKWWUv
f6a+t1jF8V7JMhV1JxU/z38MgTYRGt6dspWlTLKb543GxBRqOdMohigBu8rUmDEb
UlD9gAav5M+OSY6oNh5a7e/YrPLhOiqxNxBIXQCDgKtIUv9NF8KbcbS96EAmNsuH
UA/hJ2Arlx2wSkmJZgvcpiM6O/1g1OYgg7Gur39SqsNZn0RUKxi463qASGfJT4sa
rpH6clBsVpNei5bf/4Bke5/8dnJL5DzM0twxTUmvdq1Pt1+6sRCd70IsqXPvjZu2
Drx4rzlLItD84xmE9w/vGdLMtPSTPwX7ak2TvhWqBOkqzWJNiRjzi+T6HiNfuqUr
sr90FndiRNJcWCbmPs2TJISLePsi9AVGL5KFfmimdSJPagzWG1FVQhyo2HS4nRWg
G7kABRG0H1MwZnRQaiBTdGFmZiA8c3RhZmZAczBmdHBqLm9yZz6JAVoDBRA3lzS/
2HS4nRWgG7kBAaYiCiQPM05Pr5FkSgjHkVUbgyxwuWkp9MDOxhvFAgcsHJUX2h6V
F02vzDMR2BOvaRhkm43IwXxK490Tp86pbbhC28SiF3TEyHjmu8tMrXo/cX69fcqy
IbvVgHKEIUYR8Sik7mLX9HqUh9qh7e6o4cH5TsCCJxIoqf2Qt4t5HA4m77H1niNP
EqY2HGzvQUPfvTf+KffdLGoAa/NSKJyB8stlWIJ4SAe7EkGscSjcDFvrm25pDT33
JHyBHBdmUY0Kr+gzmg9CuUZUhVtdun0mwZJLicOSUFQeYuPsid+ayggdgfGR7spM
NymPkS2MF8jGOKCa9EqWbn5gBP0uZm5aMrg6+O+s+xNonK0BcFH7iIUAsL9qUHLD
4edFudwxa6XW7LuJoqDVlUzhqA3Ru5Yd8eTD7vbcjR3fRngDpLDu8UhC0MFQSoDW
IWKJ
=i4i0
-----END PGP PUBLIC KEY BLOCK-----
