||Home : Advisories : Insecure call of external programs in Red Hat Linux tmpwatch|
||Insecure call of external programs in Red Hat Linux tmpwatch
||6th October 2000
-----BEGIN PGP SIGNED MESSAGE-----
Internet Security Systems Security Advisory
October 6, 2000
Insecure call of external programs in Red Hat Linux tmpwatch
The tmpwatch utility is used in Red Hat Linux to remove temporary files. This
utility has an option to call the "fuser" program, which verifies if a file is
currently opened by a process. The fuser program is invoked within tmpwatch by
calling the system() library subroutine. Insecure handling of the arguments to
this subroutine could potentially allow an attacker to execute arbitrary
This vulnerability may allow local attackers to compromise superuser access if
tmpwatch is used by the administrator in a non-default manner.
Red Hat Linux 7.0 (tmpwatch v2.5.1)
Red Hat Linux 6.2 (tmpwatch v2.2)
Use the 'rpm -q tmpwatch' command to verify which version is installed. The
tmpwatch package as well as the package containing fuser are included in the
default base installation. By default, tmpwatch with the fuser option is not
used in any package shipped with the Red Hat distributions.
The tmpwatch tool removes files that have not been modified or accessed within
a specified amount of time. It was designed to securely remove files by
avoiding typical race condition vulnerabilities. System administrators usually
run this tool periodically to remove old temporary files in world-writeable
The tmpwatch tool uses the --fuser or -s options to avoid removing a file that
is in an open state in another process. This option uses the system() library
subroutine to call the external program /sbin/fuser with the file name being
examined as an argument. The system() subroutine spawns a shell to execute the
command. An attacker may create a file name containing shell metacharacters,
which could allow them to execute arbitrary commands if tmpwatch with the
fuser option is used to remove the file.
Source code comparison between the Red Hat Linux 6.2 and 7.0 tmpwatch packages
suggests this vulnerability was recognized and a fix was attempted. However,
the fix is incorrect, and the vulnerability is still exploitable.
Do not use the --fuser or -s options with tmpwatch.
Red Hat has issued the following RPMs that contain fixes for this
Red Hat Linux 6.2:
Red Hat Linux 7.0:
MD5 sum Package Name
These packages are GPG signed by Red Hat, Inc. for security. Red Hat's key
is available at:
You can verify each package with the following command:
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nogpg
If an external program needs to be called within a process, try to avoid the
system() subroutine. Use the execve() subroutine instead. See the Secure
UNIX Programming FAQ for details:
The Common Vulnerabilities and Exposures (CVE) project has assigned the Name
CAN-2000-0816 to this issue. This is a candidate for inclusion in the CVE
list http://cve.mitre.org, which standardizes names for security problems.
This vulnerability was discovered and researched by Allen Wilson and Aaron
Campbell of the ISS X-Force.
The vendor contact in regards to this vulnerability was performed with the
help of the SecurityFocus.com Vulnerability Help Team. For more
information or assistance drafting advisories please mail
About Internet Security Systems (ISS)
Internet Security Systems (ISS) is a leading global provider of security
management solutions for the Internet. By providing industry-leading
SAFEsuite security software, remote managed security services, and
strategic consulting and education offerings, ISS is a trusted security
provider to its customers, protecting digital assets and ensuring safe
and uninterrupted e-business. ISS' security management solutions protect
more than 5,500 customers worldwide including 21 of the 25 largest U.S.
commercial banks, 10 of the largest telecommunications companies and
over 35 government agencies. Founded in 1994, ISS is headquartered in
Atlanta, GA, with additional offices throughout North America and
international operations in Asia, Australia, Europe, Latin America and
the Middle East. For more information, visit the Internet Security
Systems web site at www.iss.net or call 888-901-7477.
Copyright (c) 2000 by Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part of
this Alert in any other medium excluding electronic medium, please
e-mail firstname.lastname@example.org for permission.
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.
X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well
as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to: X-Force
email@example.com of Internet Security Systems, Inc.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----