Bug 28224 - expect searches /var/tmp before /usr/lib
Summary: expect searches /var/tmp before /usr/lib
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: tcltk
Version: 7.0
Hardware: i686
OS: Linux
Target Milestone: ---
Assignee: Jens Petersen
QA Contact: David Lawrence
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2001-02-18 11:43 UTC by Need Real Name
Modified: 2007-03-27 03:41 UTC (History)
1 user (show)

Clone Of:
Last Closed: 2001-03-13 14:10:17 UTC

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2002:148 normal SHIPPED_LIVE : Updated Tcl/Tk packages fix local vulnerability 2002-07-22 04:00:00 UTC

Description Need Real Name 2001-02-18 11:43:26 UTC
/usr/bin/expect searches a series of directories under /var/tmp before
looking in the correct location for the library file
/usr/lib/libexpect5.31.so , which allows a malicious user to cause commands
to be executed as an other user, and in the case of mkpasswd, probably

Although I haven't looked at the source, a preliminary investigation
(strings `which expect`) suggests that this is due to a path being given in
the file of "/var/tmp/tcltk-root/usr/lib:/usr/X11R6/lib" (which may be a
remnant from testing?)

[root@clarity /tmp]# strace -o /tmp/twall expect </dev/null
[root@clarity /tmp]# grep -n /tmp/ /tmp/twall 
5:open("/var/tmp/tcltk-root/usr/lib/i686/mmx/libexpect5.31.so", O_RDONLY) =
-1 ENOENT (No such file or directory)
6:stat64("/var/tmp/tcltk-root/usr/lib/i686/mmx", 0xbfffec4c) = -1 ENOSYS
(Function not implemented)
7:stat("/var/tmp/tcltk-root/usr/lib/i686/mmx", 0xbfffeb6c) = -1 ENOENT (No
such file or directory)
8:open("/var/tmp/tcltk-root/usr/lib/i686/libexpect5.31.so", O_RDONLY) = -1
ENOENT (No such file or directory)
9:stat("/var/tmp/tcltk-root/usr/lib/i686", 0xbfffeb6c) = -1 ENOENT (No such
file or directory)
10:open("/var/tmp/tcltk-root/usr/lib/mmx/libexpect5.31.so", O_RDONLY) = -1
ENOENT (No such file or directory)
11:stat("/var/tmp/tcltk-root/usr/lib/mmx", 0xbfffeb6c) = -1 ENOENT (No such
file or directory)
12:open("/var/tmp/tcltk-root/usr/lib/libexpect5.31.so", O_RDONLY) = -1
ENOENT (No such file or directory)
13:stat("/var/tmp/tcltk-root/usr/lib", 0xbfffeb6c) = -1 ENOENT (No such
file or directory)
[root@clarity /tmp]# 

The utility /usr/bin/mkpasswd is an expect script that is designed to be
used by root to change passwords of users to a random string. 

If a malicious user were to put a trojan version of libexpect5.31.so in 
/var/tmp/tcltk-root/usr/lib/i686/mmx/ or one of the other directories, that
would be loaded and executed.

[root@clarity /tmp]# su evil
[evil@clarity /tmp]$ mkdirhier
/var/tmp/tcltk-root/usr/lib/i686/mmx/            [evil@clarity /tmp]$ touch
[evil@clarity /tmp]$ exit                                                  
[root@clarity /tmp]# strace -o /tmp/twall expect </dev/null
[root@clarity /tmp]# grep -n /tmp/ /tmp/twall 
5:open("/var/tmp/tcltk-root/usr/lib/i686/mmx/libexpect5.31.so", O_RDONLY) =
[root@clarity /tmp]# more /tmp/twall 
execve("/usr/bin/expect", ["expect"], [/* 29 vars */]) = 0
uname({sys="Linux", node="clarity", ...}) = 0
brk(0)                                  = 0x8049c90
open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or
open("/var/tmp/tcltk-root/usr/lib/i686/mmx/libexpect5.31.so", O_RDONLY) = 4
read(4, "", 1024)                       = 0
close(4)                                = 0
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
[root@clarity /tmp]# 

If the file had been a valid library, instead of a 0 byte file, it would've
loaded instead.

A number of other programs also use this utility, but no others seem to be
as likely to be run by root.


Comment 1 Need Real Name 2001-03-13 14:10:08 UTC
What happened to the severity rating? it appears blank?
And is anything being done?
(If you want, I'll write a root exploit for it? Would that speed things up?)

Comment 2 Eido Inoue 2001-03-14 10:52:13 UTC
The problem with /var/tmp getting put in the path is because tcls build script
isn't designed to work in properly in non-interactive environments. a set of
patches needs to be applied to the build process so that tcl doesn't use the
query the current temporary environment.

*** This bug has been marked as a duplicate of 22187 ***

Comment 3 Mark J. Cox 2002-08-12 19:38:50 UTC
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.