CVE-1999-1541

Vulnerability

The shell-lock utility (versions up to 2.1.1.1) from Cactus Software creates temporary files in /tmp or a similar directory without proper precautions against symlink attacks. When processing a shell script for obfuscation or execution, the program writes decoded content to a temporary file. An attacker can pre-create a symbolic link with the predicted temporary filename pointing to a file they control or wish to modify, causing shell-lock to write to or read from the attacker's file instead of the intended temporary location [1].

Exploitation

A local attacker simply needs to identify when shell-lock is invoked and predict the temporary filename pattern. By placing a symlink in the temporary directory before shell-lock creates its file, the attacker can redirect the write operation. If the symlink points to a file owned by the attacker or to a sensitive system file, the decoded shell script can be read or overwritten. In cases where the locked binary is setuid root, a malicious symlink can lead to arbitrary command execution as root [1].

Impact

Successful exploitation allows a local user to either read the decoded shell script (information disclosure) or modify it before execution, potentially injecting arbitrary commands. If the shell-lock compiled binary is setuid root, the attacker can achieve full root privileges by executing commands through the modified script [1].

Mitigation

No official patch has been released by Cactus Software. The vulnerability is inherent in the design of shell-lock's temporary file handling. Users are advised to avoid using shell-lock with setuid privileges and to monitor temporary directories for suspicious symlinks. The product is likely end-of-life; replacing it with a secure alternative is recommended.