4889177 2000-03-12 04:21 /168 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <10205>
Ärende: TESO advisory -- wmcdplay
------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------
TESO Security Advisory
03/09/2000
wmcdplay local root compromise
Summary
===================
A vulnerability within the wmcdplay CD playing application for
the WindowMaker desktop has been discovered. It allows local root
compromise through arbitrary code execution.
Systems Affected
===================
Any system which has wmcdplay installed as setuid root. Though on
most popular system distributions wmcdplay is not installed by
default, the optional installation of it is always setuid root,
hence affected by the problem.
Please note that wmcdplay doesn't require WindowMaker as its
desktop, so even if you haven't installed WindowMaker you may be
vulnerable.
Among the vulnerable distributions (if the package is installed)
are the following systems:
Debian/GNU Linux 2.1, wmcdplay 1.0beta1-2
Halloween Linux Version 4
Tests
===================
liane:[bletchley]> id -a
uid=501(bletchley) gid=501(bletchley) groups=501(bletchley)
liane:[bletchley]> cd wmhack/
liane:[wmhack]> uname -a
Linux liane.c-skills.de 2.2.13-13 #21 Thu Mar 2 10:36:13 WET 2000 i686 unknown
liane:[wmhack]> stat `which wmcdplay`
File: "/usr/X11R6/bin/wmcdplay"
Size: 38372 Filetype: Regular File
Mode: (4755/-rwsr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Device: 3,1 Inode: 213954 Links: 1
Access: Sat Mar 4 14:21:43 2000(00004.20:34:20)
Modify: Thu Nov 11 09:59:00 1999(00119.00:57:03)
Change: Fri Mar 3 15:31:42 2000(00005.19:24:21)
liane:[wmhack]> cc wmexp.c
liane:[wmhack]> ./a.out
You can also add an offset to the command-line. 40 worked for me on the console.
Get the real deal at http://www.cs.uni-potsdam.de/homepages/students/linuxer
Respect other users privacy!
wmcdplay : Tried to find artwork file, but failed.
Segmentation fault
liane:[wmhack]> ./a.out 40
Get the real deal at http://www.cs.uni-potsdam.de/homepages/students/linuxer
Respect other users privacy!
wmcdplay : Tried to find artwork file, but failed.
Illegal instruction
liane:[wmhack]> ./a.out 140
Get the real deal at http://www.cs.uni-potsdam.de/homepages/students/linuxer
Respect other users privacy!
wmcdplay : Tried to find artwork file, but failed.
sh-2.03# id -a
uid=0(root) gid=501(bletchley) groups=501(bletchley)
sh-2.03#
Impact
===================
Through exploitation of the buffer overflow within wmcdplay a
local user can elevate his privileges to the superuser
level. Once this is archived the attacker has complete access to
the system, allowing compromitation of all data stored on it.
Explanation
===================
Due to inaccurate bounds-checking a sprintf() call with
commandline arguments, it can be used to overflow a stack-located
buffer. By setting proper values and avoiding zero-bytes an
attacker can execute arbitrary code.
Solution
===================
The author and the distributor has been informed before. A patch
is already available. Short-timed just remove the suid-bit; it is
not necessary.
Acknowledgments
================
The bug-discovery and the demonstration programs are due to
S. Krahmer [2]. The shell-code is due to Stealth.
This advisory has been written by scut and S. Krahmer.
Contact Information
===================
The TESO crew can be reached by mailing to tesopub@coredump.cx.
Our web page is at http://teso.scene.at/
C-Skills developers may be reached through [2].
References
===================
[1] TESO
http://teso.scene.at/
[2] S. Krahmer, C-Skills
http://www.cs.uni-potsdam.de/homepages/students/linuxer/
Disclaimer
===================
This advisory does not claim to be complete or to be usable for
any purpose. Especially information on the vulnerable systems may
be inaccurate or wrong. The supplied exploit is not to be used
for malicious purposes, but for educational purposes only.
This advisory is free for open distribution in unmodified form.
Articles that are based on information from this advisory should
include link [1] and [2].
Exploit
===================
We've created a working demonstration program to exploit the
vulnerability.
The exploit is available from
http://teso.scene.at/
and
http://www.cs.uni-potsdam.de/homepages/students/linuxer
- ------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE4yQ4QcZZ+BjKdwjcRAobJAJwO+vEtw5on/9obko1ozI7DywhbSwCgnG18
7aAhRDSSJr15f06W1Ei4b64=
=HrTR
-----END PGP SIGNATURE-----
(4889177) ------------------------------------------(Ombruten)
4901888 2000-03-15 06:31 /24 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <10226>
Kommentar till text 4889177 av Brevbäraren (som är implementerad i) Python
Ärende: Re: TESO advisory -- wmcdplay
------------------------------------------------------------
Previously krahmer@CS.UNI-POTSDAM.DE wrote:
> Systems Affected
> ===================
>
> Any system which has wmcdplay installed as setuid root. Though on most
> popular system distributions wmcdplay is not installed by default, the
> optional installation of it is always setuid root, hence affected by the
> problem.
[.. snip snip ..]
> Debian/GNU Linux 2.1, wmcdplay 1.0beta1-2
Unlike what you imply here Debian does not ship wmcdplay setuid root.
Wichert.
--
________________________________________________________________
/ Generally uninteresting signature - ignore at your convenience \
| wichert@liacs.nl http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
(4901888) ------------------------------------------