SUS 2.0.2 local root vulnerability

From: LSS Security (exposed_at_lss.hr)
Date: 09/14/04

  • Next message: advisories: "Corsaire Security Advisory - Multiple vendor MIME Content-Transfer-Encoding mechanism issue" 
    Date: Tue, 14 Sep 2004 15:56:10 +0200
To: bugtraq@securityfocus.com

                               LSS Security Advisories
                               http://security.lss.hr
                               
                               
                                        

    ---
Title			: SUS 2.0.2 local root vulnerability
Advisory ID		: LSS#2004-09-01
Date			: September 14th, 2004 
Advisory URL:		: http://security.lss.hr/index.php?page=details&ID=LSS-2004-09-01
Impact			: Any user can obtain root privileges
Risk level		: High 
Vulnerability type	: Local
Vendors contacted	: GENTOO Linux and Peter D. Gray (SUS author), Contact date: September 13th, 2004
---
==[ Overview 
SUS is a suid root program that allows ordinary users the execution of certain 
programs with superuser privileges. SUS relatives are super, sudo and calife. SUS is 
run by default as setuid root.
==[ Vulnerability
There is a very simple format string bug in log() function that allows any local
user to gain root privileges. Format string vulnerability is a result of an incorrect 
syslog() function call, and can be exploited directly from the command line.
log.c:
--------
void
log(char * msg)
{
...
                openlog(ident, LOG_PID|LOG_CONS, facility);
                syslog(level,msg);                            // <- VULNERABILITY
...
}
--------
==[ Affected versions
The exploitation of this vulnerability was successfully tested on SUS version 2.0.2.
==[ Fix
GENTOO Linux has released a patched version - sus-2.0.2-r1.
There is also a fixed version on sus homepage:
http://pdg.uow.edu.au/sus/sus-2.0.6.tar.Z
==[ PoC Exploit
Proof of concept code can be downloaded at http://security.lss.hr/PoC/.
==[ Credits
This vulnerability was found by Leon Juranic (ljuranic@LSS.hr).
==[ LSS Security Contact
 
 LSS Security Team, <eXposed by LSS>
 WWW    : http://security,lss.hr
 E-mail : security@LSS.hr
 Tel	: +385 1 6129 775
  • Next message: advisories: "Corsaire Security Advisory - Multiple vendor MIME Content-Transfer-Encoding mechanism issue"

    Relevant Pages

    • Re: 7b5, or 7#11?
      ... above the root! ... I think the philosphy is that: ... would have been replacing. ... So sus 2 and "add 2" would of course mean the same thing. ...
      (rec.music.theory)
    • Re: chord question
      ... (minor 7 sus 4?) ... I'd call it some form of sus4.. ... So if I had an Am7 chord... ... Using the E as root ...
      (rec.music.makers.guitar.jazz)
    • Quantcast