98723 - Security risk in run-mozilla.sh script

Status: VERIFIED FIXED

(SeaMonkey :: Build Config, defect, P1)

Description

[Ashu Kulkarni]

The moz_uage function in run-mozilla.sh creates a temporary file in the /tmp
dir. Since NS 6.x/Mozilla on Solaris can be installed by root in multiuser mode
a malicious user could use this to overwrite user files (by creating a link in
the /tmp dir with the name of the tmp file created before NS6 is installed). The
fix would be to change the moz_usage function in run-mozilla.sh to use echo
instead of cat << EOF. 

Here is the problem report as posted by Larry W. Cashdollar <lwc@Vapid.dhs.org>
on some security related newsgroups and the netscape6-feedback@eng.sun.com
alias.

----------------------------------------
Here is another example of the ksh "here document" vulnerability. 
Except it is for Netscape 6.01a on Solaris 2.x.  This creates the same 
symlink vulnerability as the previous patchadd post.  Except your more 
likely to destroy user files rather than system files. 

run-mozilla.sh creates a "here document" in function moz_usage(). 

#!/bin/sh 
---snip-- 
. 
. 
. 

moz_usage() 
{ 

  cat << EOF 

Usage:  ${cmdname} [options] [program] 

  options: 

-snip- 
. 
. 
. 
EOF 

Temp dir listing: 

pangea #ls -l /tmp 
-rw-r--r--   1 lwc     user        399 Aug 28 08:38 sh10040 

Truss output: 

1004:   stat64("/tmp/sh10040", 0xFFBEEDD8)              Err#2 ENOENT 
1004:   creat64("/tmp/sh10040", 0666)                   = 3 
1004:   unlink("/tmp/sh10040")                          = 0 
  

Solution? Use echo or another shell. 

---------------------------------------------------------------------

Comment 1

[Ashu Kulkarni]

Attachment: diff of simple patch for this problem. Replacing cat << EOF by echo statements

Comment 2

[Ashu Kulkarni]

The milestone for this should be 0.9.4 given that it is the eClient release and
most enterprise installations will be multiuser installations. Also, given that
the potential fixes for this are low-risk, why not try to get this into 0.9.4.

Comment 3

[cls]

Comment on attachment 48620 [details] [diff] [review]
diff of simple patch for this problem. Replacing cat << EOF by echo statements

r=cls

Comment 4

[Doron Rosenberg (IBM)]

cc: asa@mozilla.org regarding 0.9.4

Comment 5

[Christopher Blizzard (:blizzard)]

a=blizzard on behalf of drivers for 0.9.4

Comment 6

[cls]

Patch has been checked into the trunk & the 0.9.4. branch.

Comment 7

[Ashu Kulkarni]

cls, thanks for checking this in.

Comment 8

[lchiang]

pls advise on how to verify.

Comment 9

[Ashu Kulkarni]

Here's how you can verify the bug:

/tmp has all user level permissions. Create a symlink in /tmp as an ordinary 
user with the same filename as that created by the run-mozilla.sh script 
moz_usage() function. This symlink should point to some important root-only 
file. For example, you could create something that looks like
lrwxrwxrwx   1 ashuk    staff          15 Sep 18 11:00 sh10040 
-> /etc/inetd.conf
where the /etc/inetd.conf file has root permissions only.

Now, on Solaris, the SVR4 package (the form in which NS6 in bundled for 
distribution) needs to be installed as root. So run-mozilla.sh will get 
executed as root and will append to the file /tmp/sh10040 which in turn is a 
symlink to /etc/inetd.conf. So the root file inetd.conf gets modified without 
anyone realising it.

This is dangerous! A malicious user (who does not have root priviledges) could 
cause root files to be overwritten simply by creating such symlinks in the /tmp 
directory before the sysadmin installs NS6.x from a SVR4 bundle. Try this 
scenario described above with the original run-mozilla.sh and you will see the 
root file being overwritten.

Apply the patch and this problem goes away because no tmp file is created.

Comment 10

[Tracy Walker [:tracy]]

verified