[UNIX] SUS Local Root Privilege Escalation Vulnerability

• Previous message: SecuriTeam: "[NT] Ipswitch WhatsUp Gold prn.htm DoS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 19 Sep 2004 14:08:34 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  SUS Local Root Privilege Escalation Vulnerability
------------------------------------------------------------------------

SUMMARY

 <http://pdg.uow.edu.au/sus/> SUS is a suid root program that allows
ordinary users the execution of certain programs with superuser
privileges. SUS relatives are super, sudo and calife. SUS is run by
default as setuid root.

A format string bug in SUS allows a local user to gain root privileges on
the system.

DETAILS

Vulnerable Systems:
 * SUS version 2.0.2

Immune Systems:
 * SUS version 2.0.2-r1 (Gentoo)
 * SUS version 2.0.6

The format string vulnerability is a result of an incorrect syslog()
function call and can be exploited directly from the command line. The
relevant portion of code is listed below, taken from log.c:
void
log(char * msg)
{
..
                openlog(ident, LOG_PID|LOG_CONS, facility);
                syslog(level,msg); // <-
VULNERABILITY
..
}

It is clearly evident that a command is logged and it is passed to syslog
without any kind of sanitation. This allows the attacker to insert any
kind of format string identifiers and basically manipulate the program
from that point forward.

A proof of concept code for this vulnerability can be downloaded from
<http://security.lss.hr/PoC/> http://security.lss.hr/PoC/.

Vendor Status:
GENTOO Linux and Peter D. Gray (SUS author) were notified. Gentoo released
a patched version. A fixed version is also available on the SUS homepage:
 <http://pdg.uow.edu.au/sus/sus-2.0.6.tar.Z>
http://pdg.uow.edu.au/sus/sus-2.0.6.tar.Z

Disclosure Timeline
13/09/2004 Vendor notification
14/09/2004 Public release

ADDITIONAL INFORMATION

The information has been provided by <mailto:exposed@lss.hr> LSS Security
Advisories.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Ipswitch WhatsUp Gold prn.htm DoS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]