Bug 28224 - expect searches /var/tmp before /usr/lib
Summary: expect searches /var/tmp before /usr/lib
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: tcltk
Version: 7.0
Hardware: i686
OS: Linux
high
medium
Target Milestone: ---
Assignee: Jens Petersen
QA Contact: David Lawrence
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-02-18 11:43 UTC by Need Real Name
Modified: 2007-03-27 03:41 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2001-03-13 14:10:17 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2002:148 normal SHIPPED_LIVE : Updated Tcl/Tk packages fix local vulnerability 2002-07-22 04:00:00 UTC

Description Need Real Name 2001-02-18 11:43:26 UTC
/usr/bin/expect searches a series of directories under /var/tmp before
looking in the correct location for the library file
/usr/lib/libexpect5.31.so , which allows a malicious user to cause commands
to be executed as an other user, and in the case of mkpasswd, probably
root.

Although I haven't looked at the source, a preliminary investigation
(strings `which expect`) suggests that this is due to a path being given in
the file of "/var/tmp/tcltk-root/usr/lib:/usr/X11R6/lib" (which may be a
remnant from testing?)

[root@clarity /tmp]# strace -o /tmp/twall expect </dev/null
[root@clarity /tmp]# grep -n /tmp/ /tmp/twall 
5:open("/var/tmp/tcltk-root/usr/lib/i686/mmx/libexpect5.31.so", O_RDONLY) =
-1 ENOENT (No such file or directory)
6:stat64("/var/tmp/tcltk-root/usr/lib/i686/mmx", 0xbfffec4c) = -1 ENOSYS
(Function not implemented)
7:stat("/var/tmp/tcltk-root/usr/lib/i686/mmx", 0xbfffeb6c) = -1 ENOENT (No
such file or directory)
8:open("/var/tmp/tcltk-root/usr/lib/i686/libexpect5.31.so", O_RDONLY) = -1
ENOENT (No such file or directory)
9:stat("/var/tmp/tcltk-root/usr/lib/i686", 0xbfffeb6c) = -1 ENOENT (No such
file or directory)
10:open("/var/tmp/tcltk-root/usr/lib/mmx/libexpect5.31.so", O_RDONLY) = -1
ENOENT (No such file or directory)
11:stat("/var/tmp/tcltk-root/usr/lib/mmx", 0xbfffeb6c) = -1 ENOENT (No such
file or directory)
12:open("/var/tmp/tcltk-root/usr/lib/libexpect5.31.so", O_RDONLY) = -1
ENOENT (No such file or directory)
13:stat("/var/tmp/tcltk-root/usr/lib", 0xbfffeb6c) = -1 ENOENT (No such
file or directory)
[root@clarity /tmp]# 

The utility /usr/bin/mkpasswd is an expect script that is designed to be
used by root to change passwords of users to a random string. 

If a malicious user were to put a trojan version of libexpect5.31.so in 
/var/tmp/tcltk-root/usr/lib/i686/mmx/ or one of the other directories, that
would be loaded and executed.

[root@clarity /tmp]# su evil
[evil@clarity /tmp]$ mkdirhier
/var/tmp/tcltk-root/usr/lib/i686/mmx/            [evil@clarity /tmp]$ touch
/var/tmp/tcltk-root/usr/lib/i686/mmx/libexpect5.31.so
[evil@clarity /tmp]$ exit                                                  
[root@clarity /tmp]# strace -o /tmp/twall expect </dev/null
[root@clarity /tmp]# grep -n /tmp/ /tmp/twall 
5:open("/var/tmp/tcltk-root/usr/lib/i686/mmx/libexpect5.31.so", O_RDONLY) =
4
[root@clarity /tmp]# more /tmp/twall 
execve("/usr/bin/expect", ["expect"], [/* 29 vars */]) = 0
uname({sys="Linux", node="clarity", ...}) = 0
brk(0)                                  = 0x8049c90
open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or
directory)
open("/var/tmp/tcltk-root/usr/lib/i686/mmx/libexpect5.31.so", O_RDONLY) = 4
read(4, "", 1024)                       = 0
close(4)                                = 0
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
[root@clarity /tmp]# 

If the file had been a valid library, instead of a 0 byte file, it would've
loaded instead.

A number of other programs also use this utility, but no others seem to be
as likely to be run by root.


--zen-parse

Comment 1 Need Real Name 2001-03-13 14:10:08 UTC
What happened to the severity rating? it appears blank?
And is anything being done?
(If you want, I'll write a root exploit for it? Would that speed things up?)
--zen-parse


Comment 2 Eido Inoue 2001-03-14 10:52:13 UTC
The problem with /var/tmp getting put in the path is because tcls build script
isn't designed to work in properly in non-interactive environments. a set of
patches needs to be applied to the build process so that tcl doesn't use the
query the current temporary environment.


*** This bug has been marked as a duplicate of 22187 ***

Comment 3 Mark J. Cox 2002-08-12 19:38:50 UTC
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2002-148.html



Note You need to log in before you can comment on or make changes to this bug.