From xforce@ISS.NET Tue Nov 3 20:22:53 1998 From: X-Force To: BUGTRAQ@netspace.org Date: Mon, 2 Nov 1998 17:57:11 -0500 Subject: ISS Security Advisory: BMC PATROL File Creation Vulnerability -----BEGIN PGP SIGNED MESSAGE----- ISS Security Advisory November 2nd, 1998 BMC PATROL File Creation Vulnerability Synopsis: Internet Security Systems (ISS) X-Force has discovered a vulnerability in BMC Software PATROL(r) Patrol network management software. PATROL contains a vulnerability that may allow local attackers to compromise root access. The agent creates insecure temporary files that may lead to a symbolic link attack. Affected Versions: ISS X-Force has confirmed that this vulnerability exists on version 3.2.3 of PATROL Agent(tm) software product. Earlier versions of PATROL Agent are also vulnerable. Executing any of the PATROL binaries with the -v flag will report version information. Fix Information: BMC Software has been notified of this vulnerability on August 20, 1998. Contact BMC Software at http://www.bmc.com to obtain a patch when it is made available. Until a patch is available, ISS suggests administrators restrict access to PATROL Agent. Administrators are encouraged to create a system administrator group and to only allow Administrators execute permission on PATROL Agent. This temporary fix may help contain the vulnerability until a patch is made available. Description: PATROL Agent is installed setuid root with world-execute permissions. When PATROL Agent is executed, it creates temporary files on the system. These files are opened and written to in an insecure manner. This allows local users to create a symbolic link to a privileged file. This link is then followed upon the initialization of PATROL Agent. Attackers may use this vulnerability to overwrite any file or create a new file that is owned by root. Attackers commonly use this method to indirectly compromise root access. Temporary files that follow symbolic links are a common source of vulnerabilities in setuid root executables. Administrators should remove or restrict access to suid executables if possible. Developers of setuid programs need to take special precautions to protect their programs from creating new vulnerabilities on the systems on which they are installed. The ISS X-Force recommends that all Unix developers become familiar with Matt Bishop's secure programming tutorials available at: http://olympus.cs.ucdavis.edu/~bishop/secprog.html - ---------- Copyright (c) 1998 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of X-Force. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. X-Force Vulnerability and Threat Database: http://www.iss.net/xforce Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBNj4p3TRfJiV99eG9AQHLmAP+L2nuqBsmAo1eDf+udRufntlLs3IBCKil qWtSP+xkIYk+Qs6ggEF+pTfZCoK8D+8E0wvYWDOlMhKnP4FKND6eML7tvbdc3QQS DAIRuMLRKgN6lu0gh1pYMlRpGPOl9VhUYsKsYG1fZEYY7VyRVx4oE58HveVDpTTu zwb7jHLzTEE= =5nmg -----END PGP SIGNATURE-----