Multiple Local Vulnerabilities in Helix Gnome Installer

[Alan Cox <alan lxorguk ukuu org uk>]

Multiple Vulnerabilities In Helix Gnome Installer 0.2

VULNERABILITIES:

The Helix installer contains multiple locally exploitable vulnerabilities.

1.	Several of the gdmify functions are vulnerable to attack because
	they use system and /tmp in unsafe manners

	> SuSE and Caldera

	A mkdir of the right path by any user prior to root running the Helix
	Installer will blank real config files losing parts of the users
	system configuration.

	> Other

	The other cases appear safe basically by chance. 

2.	The downloader tries to use a /tmp/helix_install directory, which
	at first seems a good idea. Unfortunately

        rc = mkdir(download_dir, 0600);
        if (rc < 0) {
                if (errno != EEXIST) {
                        error_box(g_strdup_printf("Helix GNOME Update was

                        exit(1);
                }
        }


	In other words, if I get there first and create a mode 777 directory 
	the Helix user may end up installing arbitarily modified packages 
	from a local attacker.

3.	When the user quits the updater the updating code on the version 
	inspected attempts to delete the files in the download directory.
	Unfortunately due to an elementary coding error it deletes each file
	in the download directory with a corresponding file in /var/tmp


Bugs 2 and 3 combine to allow any hostile local user to make the user of the
Helix Updater delete arbitary files.

There are other potential holes in the check_rpm code but these depend on
the XML database file fetched from helixcode.com being compromised. It would
appear possible to create a remote exploit based on DNS spoofing to feed
such a tampered XML file to the Installer but this would be an extremely
tricky stunt and has not been attempted.

Oddly enough given these errors the usual buffer overrun bugs appear absent.
The authors make religious use of glib safe string functionality.

WORKAROUND:

Firstly if you have no untrusted users on the machine you need not worry
about bugs 1-3. This means the majority of users need not worry. If you have
untrusted users you should set the download directory rather than use the
tmp default. A user will be able to delete arbitary files in the directory
you use but this can be a new empty directory so this is an acceptable
workaround.

Be sure to also change the download directory in instances of the updater
run from cron or at.

NOTES:

Helixcode were notified about this on the 7th August.