Computer Associates ARCserveIT ClientAgent Temporary File Vulnerability

ARCServeIT is a backup solution offered by Computer Associates for various platforms. On each client that uses the system, a "Client Agent" must be installed. On at least linux systems, the setup script for Client Agent writes to a file in /tmp without checking to see whether the file already exists and who owns it. The script then moves the file to a trusted location, carrying ownership along with it. The file that the tmpfile (uagent.tmp) is mv'ed to is /usr/CYEagent/agent.cfg, the global configuration file for the client sub-agents on the system. The contents of this file can be executed when the ARTServeIT "sub-agents" are re-started and depending on the modifications to the config file, root privilges can possibly be gained. Fortunately, in order to exploit this an attacker must know in advance that the client-agent setup program is going to be run on the target machines or the setup program must be run a second time since that is where the vulnerability lies.


 

Privacy Statement
Copyright 2010, SecurityFocus