Closed
Bug 98723
Opened 24 years ago
Closed 24 years ago
Security risk in run-mozilla.sh script
Categories
(SeaMonkey :: Build Config, defect, P1)
Tracking
(Not tracked)
VERIFIED
FIXED
mozilla0.9.5
People
(Reporter: ashuk, Assigned: cls)
Details
Attachments
(1 file)
The moz_uage function in run-mozilla.sh creates a temporary file in the /tmp
dir. Since NS 6.x/Mozilla on Solaris can be installed by root in multiuser mode
a malicious user could use this to overwrite user files (by creating a link in
the /tmp dir with the name of the tmp file created before NS6 is installed). The
fix would be to change the moz_usage function in run-mozilla.sh to use echo
instead of cat << EOF.
Here is the problem report as posted by Larry W. Cashdollar <lwc@Vapid.dhs.org>
on some security related newsgroups and the netscape6-feedback@eng.sun.com
alias.
----------------------------------------
Here is another example of the ksh "here document" vulnerability.
Except it is for Netscape 6.01a on Solaris 2.x. This creates the same
symlink vulnerability as the previous patchadd post. Except your more
likely to destroy user files rather than system files.
run-mozilla.sh creates a "here document" in function moz_usage().
#!/bin/sh
---snip--
.
.
.
moz_usage()
{
cat << EOF
Usage: ${cmdname} [options] [program]
options:
-snip-
.
.
.
EOF
Temp dir listing:
pangea #ls -l /tmp
-rw-r--r-- 1 lwc user 399 Aug 28 08:38 sh10040
Truss output:
1004: stat64("/tmp/sh10040", 0xFFBEEDD8) Err#2 ENOENT
1004: creat64("/tmp/sh10040", 0666) = 3
1004: unlink("/tmp/sh10040") = 0
Solution? Use echo or another shell.
---------------------------------------------------------------------
Severity: normal → critical
Status: NEW → ASSIGNED
Priority: -- → P1
|
Reporter | |
Comment 1•24 years ago
|
||
|
|
||
Updated•24 years ago
|
Target Milestone: --- → mozilla0.9.5
|
|
Reporter | |
Comment 2•24 years ago
|
||
The milestone for this should be 0.9.4 given that it is the eClient release and
most enterprise installations will be multiuser installations. Also, given that
the potential fixes for this are low-risk, why not try to get this into 0.9.4.
Comment on attachment 48620 [details] [diff] [review]
diff of simple patch for this problem. Replacing cat << EOF by echo statements
r=cls
Attachment #48620 -
Flags: review+
|
||
Comment 4•24 years ago
|
||
cc: asa@mozilla.org regarding 0.9.4
|
|
||
Comment 5•24 years ago
|
||
a=blizzard on behalf of drivers for 0.9.4
Patch has been checked into the trunk & the 0.9.4. branch.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 7•24 years ago
|
||
cls, thanks for checking this in.
Component: Browser-General → Build Config
QA Contact: doronr → granrose
|
|
Reporter | |
Comment 9•24 years ago
|
||
Here's how you can verify the bug:
/tmp has all user level permissions. Create a symlink in /tmp as an ordinary
user with the same filename as that created by the run-mozilla.sh script
moz_usage() function. This symlink should point to some important root-only
file. For example, you could create something that looks like
lrwxrwxrwx 1 ashuk staff 15 Sep 18 11:00 sh10040
-> /etc/inetd.conf
where the /etc/inetd.conf file has root permissions only.
Now, on Solaris, the SVR4 package (the form in which NS6 in bundled for
distribution) needs to be installed as root. So run-mozilla.sh will get
executed as root and will append to the file /tmp/sh10040 which in turn is a
symlink to /etc/inetd.conf. So the root file inetd.conf gets modified without
anyone realising it.
This is dangerous! A malicious user (who does not have root priviledges) could
cause root files to be overwritten simply by creating such symlinks in the /tmp
directory before the sysadmin installs NS6.x from a SVR4 bundle. Try this
scenario described above with the original run-mozilla.sh and you will see the
root file being overwritten.
Apply the patch and this problem goes away because no tmp file is created.
|
||
Updated•20 years ago
|
Product: Browser → Seamonkey
You need to log in
before you can comment on or make changes to this bug.
Description
•