The Defense Information Systems Agency (DISA) UNIX Security Readiness Review (SRR) scripts find(1) and execute (-exec) various programs to obtain version information. The SRR scripts are designed to be run as root. An attacker who can write a file under the root file system may be able to exploit this vulnerability to execute arbitrary code with root privileges.
DISA provides SRR scripts to help perform security reviews of various operating systems and applications. The UNIX SRR scripts check versions of various programs by searching the root file system and executing programs with options to display version information. The scripts generally use find(1) with the -exec expression primary. The scripts execute programs based on file name. If an attacker can place a file with an appropriate name on the file system, that file will be executed by the SRR script. The SRR scripts are designed to be run with root privileges.
An attacker who is able to write a file under the root file system (most likely, but not necessarily a local user) can execute arbitrary code with root privileges.
The DISA Field Security Office (FSO) is reviewing the UNIX SRR scripts and preparing changes to address these issues.
Modify SRR scripts
Given sufficient understanding of the SRR scripts, it is possible to modify them to skip the program execution steps or change to a less privileged user before executing the programs.
Thanks to Frank Stuart for reporting these issues and working with DISA FSO.
This document was written by Art Manion.
|Date First Published:||2009-12-09|
|Date Last Updated:||2009-12-09 22:39 UTC|