Date: Wed, 21 Nov 2001 13:50:21 -0600 From: Eric Anderson <anderson@centtech.com> To: The Anarcat <anarcat@anarcat.dyndns.org> Cc: airot@lazir.toya.net.pl, FreeBSD Security Issues <FreeBSD-security@freebsd.org> Subject: Re: fun with pkg_add Message-ID: <3BFC057D.49A7AE1B@centtech.com> References: <20011121191808.GD44370@shall.anarcat.dyndns.org> <Pine.LNX.4.33.0111212032370.22602-100000@lazir.toya.net.pl> <20011121194634.GB69296@shall.anarcat.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
It would be very trivial to write a script that watched every second for a new package install, overwriting the executable binaries with hacked scripts or other binaries, without an attacker even paying attention.. 15 minutes with perl and you have your exploit. Eric The Anarcat wrote: > > On Wed Nov 21, 2001 at 08:38:06PM +0100, airot@lazir.toya.net.pl wrote: > > > > > > On Wed, 21 Nov 2001, The Anarcat wrote: > > > > > Hi! > > > > > > I just noticed something that could be a problem with pkg_add > > > algorithms. When it installs a package, it first untars it in a > > > temporary directory. The problem is that the subdirectories of the > > > package created this way are world-writable: > > > > > > $ ftp -a ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/All/auctex-10.0g.tgz > > > $ pkg_add auctex-10.0g.tgz > > > ^Z > > ^Z is SIGTSTP it susspend prcoesses, there is a very small posibilty that > > our 'attacker' will change somthing when you are installing package. ;-) > > Wrong. With large packages such as XFree86, the untarring actually takes > a few minutes, sometimes, and thus leave a large window of attack. > > > I didn`t check the /var/tmp/inst* directory permissions, but i guess it`s > > imposible to exploit this security issue. > > Again, I do not agree, as I have exploited this security issue. > > It might be related to some misconfiguration on my side (but I doubt > it), and it is why I sent this to the list first, to get some > confirmation of the bug. > > A. > > ------------------------------------------------------------ > Part 1.2Type: application/pgp-signature -- ------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology An unbreakable toy is useful for breaking other toys. ------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BFC057D.49A7AE1B>