<<< Date Index >>>     <<< Thread Index >>>

OpenServer 5.0.7 OpenServer 6.0.0 : UnZip File Permissions Change Vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

                        SCO Security Advisory

Subject:                OpenServer 5.0.7 OpenServer 6.0.0 : UnZip File 
Permissions Change Vulnerability
Advisory number:        SCOSA-2005.39
Issue date:             2005 September 28
Cross reference:        sr894724 fz532853 erg712904
                        sr894723 fz532852 erg712905
                        CAN-2005-2475
______________________________________________________________________________


1. Problem Description

        A vulnerability in unzip can be exploited by malicious,
        local users to perform certain actions on a vulnerable
        system with escalated privileges. The vulnerability is
        caused due a race condition that exists when the uncompressed
        file is closed and before its permissions are changed. This
        can be exploited via hardlink attacks to change the permissions
        of other files belonging to the user running unzip. Successful
        exploitation requires that the malicious user is able to
        delete the uncompressed file and replace it with a hardlink
        to another file owned by the unzip user, before permissions
        are set on the file.

        The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the name CAN-2005-2475 to this issue.


2. Vulnerable Supported Versions

        System                          Binaries
        ----------------------------------------------------------------------
        OpenServer 5.0.7                unzip distribution
        OpenServer 6.0.0                unzip distribution

3. Solution

        The proper solution is to install the latest packages.


4. OpenServer 5.0.7

        4.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.39/507


        4.2 Verification

        MD5 (VOL.000.000) = d57b8a54b9547bef09ba1f25dbd2cbf1

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools


        4.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following sequence:

        1) Download the VOL* files to a directory

        2) Run the custom command, specify an install from media
           images, and specify the directory as the location of the
           images.

5. OpenServer 6.0.0

        5.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.39/600


        5.2 Verification

        MD5 (VOL.000.000) = f31e45c91c87409f487613fdc5c2fb01

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools


        5.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following sequence:

        1) Download the VOL* files to a directory

        2) Run the custom command, specify an install from media
           images, and specify the directory as the location of the
           images.

6. References

        Specific references for this advisory:
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2475
                http://marc.theaimsgroup.com/?l=bugtraq&m=112300046224117&w=2
                http://www.securityfocus.com/bid/14450
                http://www.osvdb.org/18530
                http://secunia.com/advisories/16309

        SCO security resources:
                http://www.sco.com/support/security/index.html
        SCO security advisories via email
                http://www.sco.com/support/forums/security.html

        This security fix closes SCO incidents sr894724 fz532853
        erg712904 sr894723 fz532852 erg712905.


7. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers
        intended to promote secure installation and use of SCO
        products.


8. Acknowledgments

        SCO would like to thank Imran Ghory for discovering this
        weakness.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (UnixWare)

iD8DBQFDOs1baqoBO7ipriERAlL6AJ42PH5zJVMpIwFFJW5/EaBFl1wLMACgmIV6
iU1iXNZQxpq86/Piz4bL2Bw=
=j0qW
-----END PGP SIGNATURE-----