[UNIX] SUS Local Root Privilege Escalation Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 09/19/04

  • Next message: SecuriTeam: "[TOOL] Fwknop - Firewall Knock Operator" 
    To: list@securiteam.com
Date: 19 Sep 2004 14:08:34 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      SUS Local Root Privilege Escalation Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

     <http://pdg.uow.edu.au/sus/> SUS is a suid root program that allows
    ordinary users the execution of certain programs with superuser
    privileges. SUS relatives are super, sudo and calife. SUS is run by
    default as setuid root.

    A format string bug in SUS allows a local user to gain root privileges on
    the system.

    DETAILS

    Vulnerable Systems:
     * SUS version 2.0.2

    Immune Systems:
     * SUS version 2.0.2-r1 (Gentoo)
     * SUS version 2.0.6

    The format string vulnerability is a result of an incorrect syslog()
    function call and can be exploited directly from the command line. The
    relevant portion of code is listed below, taken from log.c:
    void
    log(char * msg)
    {
    ..
                    openlog(ident, LOG_PID|LOG_CONS, facility);
                    syslog(level,msg); // <-
    VULNERABILITY
    ..
    }

    It is clearly evident that a command is logged and it is passed to syslog
    without any kind of sanitation. This allows the attacker to insert any
    kind of format string identifiers and basically manipulate the program
    from that point forward.

    A proof of concept code for this vulnerability can be downloaded from
    <http://security.lss.hr/PoC/> http://security.lss.hr/PoC/.

    Vendor Status:
    GENTOO Linux and Peter D. Gray (SUS author) were notified. Gentoo released
    a patched version. A fixed version is also available on the SUS homepage:
     <http://pdg.uow.edu.au/sus/sus-2.0.6.tar.Z>
    http://pdg.uow.edu.au/sus/sus-2.0.6.tar.Z

    Disclosure Timeline
    13/09/2004 Vendor notification
    14/09/2004 Public release

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:exposed@lss.hr> LSS Security
    Advisories.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[TOOL] Fwknop - Firewall Knock Operator"

    Relevant Pages