<<< Date Index >>>     <<< Thread Index >>>

worring about YaST in SuSE 9.3 and maybe lower



author:         l0om 
email:          email:l0om | a7 | excluded d07 org
page:           www.excluded.org

worring about YaST in SuSE 9.3 and maybe lower

iam wondering about the installation routine from SuSE linux 9.3 and maybe some 
lower verisons.
YaST is creating a directory named 
"/var/adm/YaST/InstSrcManager/IS_CACHE_0x0000000X/DATA/descr" which is 
worldwritable by default. the directory contains data like packagenames and 
pathnames needed for YaST if you install software. for normal this directory 
shouldnt be writable by everyone because if you change the install media a new 
"IS_CACHE_0x0000000X/DATA/descr" is created which isnt worldwritable. 

so you may be able to poising the data which is viewd by root while he is 
trying to install data. the following data may be changed for example (file 
"packages"):

##----------------------------------------
=Pkg: 3ddiag 0.724 3 i586
+Req:
/bin/sh
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(CompressedFileNames) <= 3.0.4-1
/bin/sh
libc.so.6
libc.so.6(GLIBC_2.0)
libhd.so.10
libsysfs.so.1
rpmlib(PayloadIsBzip2) <= 3.0.5-1
-Req:
+Prq:
/bin/sh
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(PayloadIsBzip2) <= 3.0.5-1
-Prq:
+Prv:
3ddiag = 0.724-3
-Prv:
=Grp: System/Base
=Lic: GPL
=Src: 3ddiag 0.724 3 src
=Tim: 1111489970
=Loc: 1 3ddiag-0.724-3.i586.rpm
=Siz: 28015 46735
+Aut:
Stefan Dirsch <sndirsch@xxxxxxx>
-Aut:
##----------------------------------------
thats the information for one package. 

change the rpms path to somethin like "../../../" isnt possible cause its 
filterd.

for sure you can simply prevent the admin installing new software with YaST if 
you destroy the "packages" file but i have noted somethin else too.

if you change the "=Loc" parameter e.g. to the following:

=Loc: 1 AAAAAAAA["A"x515]AAA3ddiag-0.724-3.i586.rpm

and the administrator is trying to install the package it will end in a 
Segmentation Fault that may be exploitable for an attacker.

---
root:~# yast

[trys to install some stuff]

sbin/yast: line 207:  8447 Speicherzugriffsfehler  (core dumped) 
$ybindir/y2base menu ncurses

badass@linux:~> gdb /usr/lib/YaST2/bin/y2base core.8447 -q
[...]
Reading symbols from /usr/lib/libncursesw.so.5...done.
Loaded symbols for /usr/lib/libncursesw.so.5
Reading symbols from /usr/lib/libpanelw.so.5...done.
Loaded symbols for /usr/lib/libpanelw.so.5
Reading symbols from /usr/lib/YaST2/plugin/libpy2ag_system.so.2...done.
Loaded symbols for /usr/lib/YaST2/plugin/libpy2ag_system.so.2
Reading symbols from /usr/lib/YaST2/plugin/libpy2ag_ini.so.2...done.
Loaded symbols for /usr/lib/YaST2/plugin/libpy2ag_ini.so.2
Reading symbols from /usr/lib/YaST2/plugin/libpy2Pkg.so.2...done.
Loaded symbols for /usr/lib/YaST2/plugin/libpy2Pkg.so.2
Reading symbols from /usr/lib/YaST2/plugin/libpy2ag_xml.so.2...done.
Loaded symbols for /usr/lib/YaST2/plugin/libpy2ag_xml.so.2
Reading symbols from /usr/lib/libxml2.so.2...done.
Loaded symbols for /usr/lib/libxml2.so.2
Reading symbols from /usr/lib/YaST2/plugin/libpy2ag_hwprobe.so.2...done.
Loaded symbols for /usr/lib/YaST2/plugin/libpy2ag_hwprobe.so.2
Reading symbols from /lib/libhd.so.10...done.
Loaded symbols for /lib/libhd.so.10
Reading symbols from /lib/libsysfs.so.1...done.
Loaded symbols for /lib/libsysfs.so.1
Reading symbols from /usr/lib/libiw.so.28...done.
Loaded symbols for /usr/lib/libiw.so.28
#0  0xffffe410 in ?? ()
(gdb) i r
eax            0x1      1
ecx            0x4010d9e9       1074846185
edx            0x1      1
ebx            0x7      7
esp            0x4127c3a4       0x4127c3a4
ebp            0x4127c3d8       0x4127c3d8
esi            0x80ef104        135196932
edi            0x80ef0d8        135196888
eip            0xffffe410       0xffffe410
eflags         0x293    659
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51


-----

as there is no need to have the directory worldwritable it should be chmoded to 
somethin different.