cdrdao insecure filehandling

From: Jens Steube (jsteube@lastflood.com)
Date: 01/13/02 

To: bugtraq@securityfocus.com
Date: Sun, 13 Jan 2002 00:09:20 +0100 (CET)
From: Jens Steube <jsteube@lastflood.com>

--[ Description ]--

There are several security-related Bugs in the distributed
Debian (SID) Package of CDRDAO, a program to write audio or mixed
mode CD-Rs in disk-at-once mode. /usr/bin/cdrdao is setuid-Root
by default.

--[ Version ]--

Name: Cdrdao
Version: 1.1.5
Autor: Andreas Mueller <andreas@daneb.de>

--[ Impact ]--

Local users can gain unauthorized root access to the system.

--[ Legal ]--

The information in this advisory may be distributed or
reproduced, provided that the advisory is not modified in any way.
The Autor makes no warranties of any kind to the information
contained in this security advisory.

--[ Bugs ]--

Cdrdao doesnt check for permissions when it trys to open a file
as its "toc-file". So it was possible to open all Files on the
System, but it skips the Output on its Error-Message. Maybe it is
possible to trick to read all these Files. As i tested around to
trick i found another Bug.

This more important Bug is that cdrdao can also write a
configfile which is written to "$HOME/.cdrdao". it is written by
the Root-User and not as the User who starts cdrdao. It is possible
to include data on the written configfile and so it is possible to
gain root via a symlink-attack on $HOME/.cdrdao

After i found these Bugs i stopped to search for more Bugs.

--[ Fix ]--

Not tried to fix.

The Autor, the Debian Package Maintainer and the Debian
Bugtracking System (#127930) where informed one week before
this Post, but there was no response.

--[ Tested on ]--

Debian GNU/Linux SID on i386, installed gcc and running cron

--[ Credits ]--

Found and exploited by Jens "atomi" Steube.

Greets go out to: impulse, symbiont, mot, para, sharkking, kartan
and all other friend on #altoetting and #perl.de on ircnet.

--[ Proof of concept exploit ]--

The attached exploit is designed for the Debian (SID) Package
and not tested on other Systems.

Regards,

Jens Steube
jsteube@lastflood.com

Relevant Pages

  • Re: Want to work with a Linux Group
    ... reporting bugs there are basically two things Debian developers do, ... The first step is to decide on which package you want to work. ... Request for adoption - a new maintainer is needed but the old one ...
    (Debian-User)
  • Re: Moving from Redhat to Debian
    ... I moved to debian from redhat a little over a year ago. ... the there are a number of package ... aged enough in unstable to vet their most glaring bugs. ...
    (comp.os.linux.misc)
  • Re: Release Cycle
    ... Debian releases work more or less like this: ... If no serious bugs are found ... still some serious bugs are only discovered, *after* the package hits ... many updates for longer periods of time. ...
    (Debian-User)
  • Re: Orphaning of Firebird RDBMS
    ... > debian package? ... Making sure that the package has no bugs: ... Debian Policy ... informative and helpful to upstream developers (ex. ...
    (Debian-User)
  • Re: Running testing? -- read this.
    ... I'm just an average Testing user, have been for a while, and around me almost every Debian users I know are using Testing, mostly because it's the Debian's flavour which can compare with other distros in term of being usable on a reasonably new computer, with up-to-date softwares. ... be considered a developer-only version, and according to my experience (i use it for work, along with Ubuntu stations... ... better still (it has NEWER packages!), but Unstable must not work well, ... You will also get the pleasure of finding all the bugs, ...
    (Debian-User)