linux, säkerhet

4838887 2000-02-26  00:00  /65 rader/ Postmaster
Mottagare: Bugtraq (import) <9967>
Ärende: Corel Linux 1.0 local root compromise
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Message-ID:  <200002242318.KAA18622@jawa.chilli.net.au>
Date:         Wed, 24 Feb 0100 23:27:35 +0000
Reply-To: suid@SUID.KG
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: suid@SUID.KG
X-To:         bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM

suid@suid.kg - Corel xconf utils local root (among others)
vulnerability.

Advisory Author:	suid@suid.kg
Software: 		Corel Linux 1.0 xconf utilities
URL:			http://linux.corel.com
Version:		Version 1.0
Platforms:		Corel Linux only.

Summary:

	Local users can take advantage of lack of input validation and
	the lack of privilege dropping to gain root access, or perform
	a denial of service attack on Corel Linux systems.

Vulnerabilities:

	There are multiple vulnerabilities. I know I have missed some
	here. For example, I saw some /tmp files being used with the
	return value of time(NULL) as an attempt at selecting a unique
	filename. I haven't written these up here however.

	(1) Appending garbage XF86Config data to any file on the system

	    /sbin/buildxconf does no input validation and is setuid root.
	    Invoking it with the -f argument, a user can specify a filename
	    to output to. Example /etc/shadow.

	(2) Replacing the first line of any existing file with garbage.

            As above, no input validation. When invoked with the -x
            command buildxconf replaces the first line of the
            specified file with the path/filename of an X server. An
            effective denial of service against /etc/passwd root
            account.

	(3) Create root owned world writable files anywhere on the
file system.

	    Again, buildxconf does no input validation or directory
	    permission checks. specifying -x or -f on a non existent
            filename creates that file mode 0666. Set your umask to 0.

	(4) Executing arbitrary commands with euid root.

	    A touch different. /sbin/setxconf allows users to test X configs
	    with the -T switch. This process eventually invokes xinit with
	    euid root. A quick look at the xinit man page will tell you
	    that xinit looks at ~/.xserverrc and will execute things in there
            while starting.

In the interests of keeping this post short I have left the rest of
this advisory off. If your interested in exploit/workaround
information visit: http://www.suid.kg/advisories/007.txt

Regards,
suid@suid.kg
(4838887) ------------------------------------------(Ombruten)