Red Hat Bugzilla – Bug 28224
expect searches /var/tmp before /usr/lib
Last modified: 2007-03-26 23:41:13 EDT
/usr/bin/expect searches a series of directories under /var/tmp before looking in the correct location for the library file /usr/lib/libexpect5.31.so , which allows a malicious user to cause commands to be executed as an other user, and in the case of mkpasswd, probably root. Although I haven't looked at the source, a preliminary investigation (strings `which expect`) suggests that this is due to a path being given in the file of "/var/tmp/tcltk-root/usr/lib:/usr/X11R6/lib" (which may be a remnant from testing?) [root@clarity /tmp]# strace -o /tmp/twall expect </dev/null [root@clarity /tmp]# grep -n /tmp/ /tmp/twall 5:open("/var/tmp/tcltk-root/usr/lib/i686/mmx/libexpect5.31.so", O_RDONLY) = -1 ENOENT (No such file or directory) 6:stat64("/var/tmp/tcltk-root/usr/lib/i686/mmx", 0xbfffec4c) = -1 ENOSYS (Function not implemented) 7:stat("/var/tmp/tcltk-root/usr/lib/i686/mmx", 0xbfffeb6c) = -1 ENOENT (No such file or directory) 8:open("/var/tmp/tcltk-root/usr/lib/i686/libexpect5.31.so", O_RDONLY) = -1 ENOENT (No such file or directory) 9:stat("/var/tmp/tcltk-root/usr/lib/i686", 0xbfffeb6c) = -1 ENOENT (No such file or directory) 10:open("/var/tmp/tcltk-root/usr/lib/mmx/libexpect5.31.so", O_RDONLY) = -1 ENOENT (No such file or directory) 11:stat("/var/tmp/tcltk-root/usr/lib/mmx", 0xbfffeb6c) = -1 ENOENT (No such file or directory) 12:open("/var/tmp/tcltk-root/usr/lib/libexpect5.31.so", O_RDONLY) = -1 ENOENT (No such file or directory) 13:stat("/var/tmp/tcltk-root/usr/lib", 0xbfffeb6c) = -1 ENOENT (No such file or directory) [root@clarity /tmp]# The utility /usr/bin/mkpasswd is an expect script that is designed to be used by root to change passwords of users to a random string. If a malicious user were to put a trojan version of libexpect5.31.so in /var/tmp/tcltk-root/usr/lib/i686/mmx/ or one of the other directories, that would be loaded and executed. [root@clarity /tmp]# su evil [evil@clarity /tmp]$ mkdirhier /var/tmp/tcltk-root/usr/lib/i686/mmx/ [evil@clarity /tmp]$ touch /var/tmp/tcltk-root/usr/lib/i686/mmx/libexpect5.31.so [evil@clarity /tmp]$ exit [root@clarity /tmp]# strace -o /tmp/twall expect </dev/null [root@clarity /tmp]# grep -n /tmp/ /tmp/twall 5:open("/var/tmp/tcltk-root/usr/lib/i686/mmx/libexpect5.31.so", O_RDONLY) = 4 [root@clarity /tmp]# more /tmp/twall execve("/usr/bin/expect", ["expect"], [/* 29 vars */]) = 0 uname({sys="Linux", node="clarity", ...}) = 0 brk(0) = 0x8049c90 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/var/tmp/tcltk-root/usr/lib/i686/mmx/libexpect5.31.so", O_RDONLY) = 4 read(4, "", 1024) = 0 close(4) = 0 --- SIGSEGV (Segmentation fault) --- +++ killed by SIGSEGV +++ [root@clarity /tmp]# If the file had been a valid library, instead of a 0 byte file, it would've loaded instead. A number of other programs also use this utility, but no others seem to be as likely to be run by root. --zen-parse
What happened to the severity rating? it appears blank? And is anything being done? (If you want, I'll write a root exploit for it? Would that speed things up?) --zen-parse
The problem with /var/tmp getting put in the path is because tcls build script isn't designed to work in properly in non-interactive environments. a set of patches needs to be applied to the build process so that tcl doesn't use the query the current temporary environment. *** This bug has been marked as a duplicate of 22187 ***
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2002-148.html