Bug 28224

Summary: expect searches /var/tmp before /usr/lib
Product: [Retired] Red Hat Linux Reporter: Need Real Name <empathy>
Component: tcltkAssignee: Jens Petersen <petersen>
Status: CLOSED ERRATA QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: high    
Version: 7.0CC: dr
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-03-13 14:10:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Need Real Name 2001-02-18 11:43:26 UTC 
/usr/bin/expect searches a series of directories under /var/tmp before
looking in the correct location for the library file
/usr/lib/libexpect5.31.so , which allows a malicious user to cause commands
to be executed as an other user, and in the case of mkpasswd, probably
root.

Although I haven't looked at the source, a preliminary investigation
(strings `which expect`) suggests that this is due to a path being given in
the file of "/var/tmp/tcltk-root/usr/lib:/usr/X11R6/lib" (which may be a
remnant from testing?)

[root@clarity /tmp]# strace -o /tmp/twall expect </dev/null
[root@clarity /tmp]# grep -n /tmp/ /tmp/twall 
5:open("/var/tmp/tcltk-root/usr/lib/i686/mmx/libexpect5.31.so", O_RDONLY) =
-1 ENOENT (No such file or directory)
6:stat64("/var/tmp/tcltk-root/usr/lib/i686/mmx", 0xbfffec4c) = -1 ENOSYS
(Function not implemented)
7:stat("/var/tmp/tcltk-root/usr/lib/i686/mmx", 0xbfffeb6c) = -1 ENOENT (No
such file or directory)
8:open("/var/tmp/tcltk-root/usr/lib/i686/libexpect5.31.so", O_RDONLY) = -1
ENOENT (No such file or directory)
9:stat("/var/tmp/tcltk-root/usr/lib/i686", 0xbfffeb6c) = -1 ENOENT (No such
file or directory)
10:open("/var/tmp/tcltk-root/usr/lib/mmx/libexpect5.31.so", O_RDONLY) = -1
ENOENT (No such file or directory)
11:stat("/var/tmp/tcltk-root/usr/lib/mmx", 0xbfffeb6c) = -1 ENOENT (No such
file or directory)
12:open("/var/tmp/tcltk-root/usr/lib/libexpect5.31.so", O_RDONLY) = -1
ENOENT (No such file or directory)
13:stat("/var/tmp/tcltk-root/usr/lib", 0xbfffeb6c) = -1 ENOENT (No such
file or directory)
[root@clarity /tmp]# 

The utility /usr/bin/mkpasswd is an expect script that is designed to be
used by root to change passwords of users to a random string. 

If a malicious user were to put a trojan version of libexpect5.31.so in 
/var/tmp/tcltk-root/usr/lib/i686/mmx/ or one of the other directories, that
would be loaded and executed.

[root@clarity /tmp]# su evil
[evil@clarity /tmp]$ mkdirhier
/var/tmp/tcltk-root/usr/lib/i686/mmx/            [evil@clarity /tmp]$ touch
/var/tmp/tcltk-root/usr/lib/i686/mmx/libexpect5.31.so
[evil@clarity /tmp]$ exit                                                  
[root@clarity /tmp]# strace -o /tmp/twall expect </dev/null
[root@clarity /tmp]# grep -n /tmp/ /tmp/twall 
5:open("/var/tmp/tcltk-root/usr/lib/i686/mmx/libexpect5.31.so", O_RDONLY) =
4
[root@clarity /tmp]# more /tmp/twall 
execve("/usr/bin/expect", ["expect"], [/* 29 vars */]) = 0
uname({sys="Linux", node="clarity", ...}) = 0
brk(0)                                  = 0x8049c90
open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or
directory)
open("/var/tmp/tcltk-root/usr/lib/i686/mmx/libexpect5.31.so", O_RDONLY) = 4
read(4, "", 1024)                       = 0
close(4)                                = 0
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
[root@clarity /tmp]# 

If the file had been a valid library, instead of a 0 byte file, it would've
loaded instead.

A number of other programs also use this utility, but no others seem to be
as likely to be run by root.


--zen-parse
Comment 1 Need Real Name 2001-03-13 14:10:08 UTC 
What happened to the severity rating? it appears blank?
And is anything being done?
(If you want, I'll write a root exploit for it? Would that speed things up?)
--zen-parse
Comment 2 Eido Inoue 2001-03-14 10:52:13 UTC 
The problem with /var/tmp getting put in the path is because tcls build script
isn't designed to work in properly in non-interactive environments. a set of
patches needs to be applied to the build process so that tcl doesn't use the
query the current temporary environment.


*** This bug has been marked as a duplicate of 22187 ***
Comment 3 Mark J. Cox 2002-08-12 19:38:50 UTC 
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2002-148.html