TITLE: BMC CONTROL-M/Agent Insecure Temporary Directory Usage SECUNIA ADVISORY ID: SA17294 VERIFY ADVISORY: http://secunia.com/advisories/17294/ CRITICAL: Less critical IMPACT: Privilege escalation WHERE: Local system SOFTWARE: BMC CONTROL-M/Agent 6.x for Solaris http://secunia.com/product/6012/ BMC CONTROL-M/Agent 6.x for Linux http://secunia.com/product/6013/ DESCRIPTION: Scott Cromar has reported a vulnerability in BMC Control-M/Agent, which potentially can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. The vulnerability is caused due to the failure to verify that the "/tmp/ctm" temporary directory is owned by the root user before writing files into it. If this directory has been deleted by e.g. the O/S or the root user, then it is possible that a malicious user may re-create the directory. This can potentially be exploited via symlink attacks to create or overwrite arbitrary files with the privileges of the Control-M process. Successful exploitation requires that e.g. the O/S is configured to delete the "/tmp/ctm" directory when it restarts or on a regular basis. The vulnerability has been reported in version 6.1.03 on Solaris. Other versions may also be affected. SOLUTION: The vendor recommends that the "/tmp/ctm" directory should not be deleted. On systems that clears the "/tmp" directory on restart, the "/tmp/ctm" directory should be re-created immediately on startup with root user permissions. A fix reportedly will be implemented in the next major release, version 6.3. PROVIDED AND/OR DISCOVERED BY: Scott Cromar ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------