Bug 28224 - expect searches /var/tmp before /usr/lib
expect searches /var/tmp before /usr/lib
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: tcltk (Show other bugs)
7.0
i686 Linux
high Severity medium
: ---
: ---
Assigned To: Jens Petersen
David Lawrence
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-02-18 06:43 EST by Need Real Name
Modified: 2007-03-26 23:41 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-03-13 09:10:17 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2001-02-18 06:43:26 EST
/usr/bin/expect searches a series of directories under /var/tmp before
looking in the correct location for the library file
/usr/lib/libexpect5.31.so , which allows a malicious user to cause commands
to be executed as an other user, and in the case of mkpasswd, probably
root.

Although I haven't looked at the source, a preliminary investigation
(strings `which expect`) suggests that this is due to a path being given in
the file of "/var/tmp/tcltk-root/usr/lib:/usr/X11R6/lib" (which may be a
remnant from testing?)

[root@clarity /tmp]# strace -o /tmp/twall expect </dev/null
[root@clarity /tmp]# grep -n /tmp/ /tmp/twall 
5:open("/var/tmp/tcltk-root/usr/lib/i686/mmx/libexpect5.31.so", O_RDONLY) =
-1 ENOENT (No such file or directory)
6:stat64("/var/tmp/tcltk-root/usr/lib/i686/mmx", 0xbfffec4c) = -1 ENOSYS
(Function not implemented)
7:stat("/var/tmp/tcltk-root/usr/lib/i686/mmx", 0xbfffeb6c) = -1 ENOENT (No
such file or directory)
8:open("/var/tmp/tcltk-root/usr/lib/i686/libexpect5.31.so", O_RDONLY) = -1
ENOENT (No such file or directory)
9:stat("/var/tmp/tcltk-root/usr/lib/i686", 0xbfffeb6c) = -1 ENOENT (No such
file or directory)
10:open("/var/tmp/tcltk-root/usr/lib/mmx/libexpect5.31.so", O_RDONLY) = -1
ENOENT (No such file or directory)
11:stat("/var/tmp/tcltk-root/usr/lib/mmx", 0xbfffeb6c) = -1 ENOENT (No such
file or directory)
12:open("/var/tmp/tcltk-root/usr/lib/libexpect5.31.so", O_RDONLY) = -1
ENOENT (No such file or directory)
13:stat("/var/tmp/tcltk-root/usr/lib", 0xbfffeb6c) = -1 ENOENT (No such
file or directory)
[root@clarity /tmp]# 

The utility /usr/bin/mkpasswd is an expect script that is designed to be
used by root to change passwords of users to a random string. 

If a malicious user were to put a trojan version of libexpect5.31.so in 
/var/tmp/tcltk-root/usr/lib/i686/mmx/ or one of the other directories, that
would be loaded and executed.

[root@clarity /tmp]# su evil
[evil@clarity /tmp]$ mkdirhier
/var/tmp/tcltk-root/usr/lib/i686/mmx/            [evil@clarity /tmp]$ touch
/var/tmp/tcltk-root/usr/lib/i686/mmx/libexpect5.31.so
[evil@clarity /tmp]$ exit                                                  
[root@clarity /tmp]# strace -o /tmp/twall expect </dev/null
[root@clarity /tmp]# grep -n /tmp/ /tmp/twall 
5:open("/var/tmp/tcltk-root/usr/lib/i686/mmx/libexpect5.31.so", O_RDONLY) =
4
[root@clarity /tmp]# more /tmp/twall 
execve("/usr/bin/expect", ["expect"], [/* 29 vars */]) = 0
uname({sys="Linux", node="clarity", ...}) = 0
brk(0)                                  = 0x8049c90
open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or
directory)
open("/var/tmp/tcltk-root/usr/lib/i686/mmx/libexpect5.31.so", O_RDONLY) = 4
read(4, "", 1024)                       = 0
close(4)                                = 0
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
[root@clarity /tmp]# 

If the file had been a valid library, instead of a 0 byte file, it would've
loaded instead.

A number of other programs also use this utility, but no others seem to be
as likely to be run by root.


--zen-parse
Comment 1 Need Real Name 2001-03-13 09:10:08 EST
What happened to the severity rating? it appears blank?
And is anything being done?
(If you want, I'll write a root exploit for it? Would that speed things up?)
--zen-parse
Comment 2 Eido Inoue 2001-03-14 05:52:13 EST
The problem with /var/tmp getting put in the path is because tcls build script
isn't designed to work in properly in non-interactive environments. a set of
patches needs to be applied to the build process so that tcl doesn't use the
query the current temporary environment.


*** This bug has been marked as a duplicate of 22187 ***
Comment 3 Mark J. Cox (Product Security) 2002-08-12 15:38:50 EDT
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2002-148.html

Note You need to log in before you can comment on or make changes to this bug.