[UNIX] Linuxconf Locally Exploitable Buffer Overflow Vulnerability

From: support@securiteam.com
Date: 08/28/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 28 Aug 2002 20:14:15 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Linuxconf Locally Exploitable Buffer Overflow Vulnerability
------------------------------------------------------------------------

SUMMARY

A vulnerability exists in linuxconf that if the LINUXCONF_LANG environment
variable processes at least 964 bytes of data, a buffer overflow occurs,
thereby allowing an attacker to modify the return address of the function
and execute arbitrary code with root permissions. iDEFENSE has an exploit
that allows a local user to launch a root shell on Red Hat Linux 7.3 by
targeting the latest version of linuxconf 1.28r3.

DETAILS

According to the author of Linuxconf, Jacques Gelinas jack@solucorp.qc.ca,
"linuxconf picks the variable and uses it to format a path using snprintf.
This works fine. In fact, the receiving buffer is PATH_MAX large so even a
1000 characters variable will not overflow it and even if this were the
case, snprintf would do its work.

Once the path is formatted, the corresponding file is opened. If the file
does not exist, an error message is formatted in a string. This was the
problem and sprintf was used instead of snprintf there.

There are two fixes. One is to use snprintf to format error message at
this place and the other is to look for appropriate length for this
variable (max 5 characters) immediately when it is found."

Detection:
This vulnerability affects any version of linuxconf (essentially 6 years
worth of distributions) that is installed setuid root. Generally, the four
ways in which this utility can be installed setuid are:

1.) Shipped by vendor (Red Hat does not ship linuxconf setuid, but
Mandrake does as do other Linux vendors)
2.) Installed by RPM from the main site (
<http://www.solucorp.qc.ca/linuxconf/>
http://www.solucorp.qc.ca/linuxconf/) for each particular
Linux OS (installs setuid root by default)
3.) Installed by source code also from main site (
<http://www.solucorp.qc.ca/linuxconf/>
http://www.solucorp.qc.ca/linuxconf/) but prompts for whether to install
setuid root
4.) Installed in ways 1, 2, or 3 and manually set to setuid root by the
user for added functionality.

Workaround:
Remove the setuid bit from the linuxconf binary:
$ chmod u-s /bin/linuxconf

Vendor response:
iDEFENSE immediately contacted Jacques Gelinas and he provided a source
code patch. iDEFENSE verified that the vulnerability is mitigated in the
newer distribution (1.28r4) of linuxconf.

An updated version (1.28r4) of linuxconf which addresses this
vulnerability will be available on August 28, 2002 at
<http://www.solucorp.qc.ca/linuxconf/>
http://www.solucorp.qc.ca/linuxconf/ .

Affected Linux vendors will make updates available August 28, 2002.

ADDITIONAL INFORMATION

The information has been provided by <mailto:dendler@idefense.com> David
Endler of iDEFENSE.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages