4889177 2000-03-12  04:21  /168 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <10205>
Ärende: TESO advisory -- wmcdplay
------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- ------

TESO Security Advisory
03/09/2000

wmcdplay local root compromise


Summary
===================

    A vulnerability within the wmcdplay CD playing application for
    the WindowMaker desktop has been discovered. It allows local root
    compromise through arbitrary code execution.


Systems Affected
===================

    Any system which has wmcdplay installed as setuid root. Though on
    most popular system distributions wmcdplay is not installed by
    default, the optional installation of it is always setuid root,
    hence affected by the problem.

    Please note that wmcdplay doesn't require WindowMaker as its
    desktop, so even if you haven't installed WindowMaker you may be
    vulnerable.

    Among the vulnerable distributions (if the package is installed)
    are the following systems:

      Debian/GNU Linux 2.1, wmcdplay 1.0beta1-2
      Halloween Linux Version 4


Tests
===================


    liane:[bletchley]> id -a
    uid=501(bletchley) gid=501(bletchley) groups=501(bletchley)
    liane:[bletchley]> cd wmhack/
    liane:[wmhack]> uname -a
    Linux liane.c-skills.de 2.2.13-13 #21 Thu Mar 2 10:36:13 WET 2000 i686 unknown
    liane:[wmhack]> stat `which wmcdplay`
      File: "/usr/X11R6/bin/wmcdplay"
      Size: 38372        Filetype: Regular File
      Mode: (4755/-rwsr-xr-x)         Uid: (    0/    root)  Gid: (    0/    root)
    Device:  3,1   Inode: 213954    Links: 1
    Access: Sat Mar  4 14:21:43 2000(00004.20:34:20)
    Modify: Thu Nov 11 09:59:00 1999(00119.00:57:03)
    Change: Fri Mar  3 15:31:42 2000(00005.19:24:21)
    liane:[wmhack]> cc wmexp.c
    liane:[wmhack]> ./a.out
    You can also add an offset to the command-line. 40 worked for me on the console.
    Get the real deal at http://www.cs.uni-potsdam.de/homepages/students/linuxer
    Respect other users privacy!
    wmcdplay : Tried to find artwork file, but failed.
    Segmentation fault
    liane:[wmhack]> ./a.out 40
    Get the real deal at http://www.cs.uni-potsdam.de/homepages/students/linuxer
    Respect other users privacy!
    wmcdplay : Tried to find artwork file, but failed.
    Illegal instruction
    liane:[wmhack]> ./a.out 140
    Get the real deal at http://www.cs.uni-potsdam.de/homepages/students/linuxer
    Respect other users privacy!
    wmcdplay : Tried to find artwork file, but failed.
    sh-2.03# id -a
    uid=0(root) gid=501(bletchley) groups=501(bletchley)
    sh-2.03#

Impact
===================

    Through exploitation of the buffer overflow within wmcdplay a
    local user can elevate his privileges to the superuser
    level. Once this is archived the attacker has complete access to
    the system, allowing compromitation of all data stored on it.


Explanation
===================

    Due to inaccurate bounds-checking a sprintf() call with
    commandline arguments, it can be used to overflow a stack-located
    buffer.  By setting proper values and avoiding zero-bytes an
    attacker can execute arbitrary code.


Solution
===================

    The author and the distributor has been informed before. A patch
    is already available. Short-timed just remove the suid-bit; it is
    not necessary.
	 	

Acknowledgments
================

    The bug-discovery and the demonstration programs are due to
    S. Krahmer [2].  The shell-code is due to Stealth.

    This advisory has been written by scut and S. Krahmer.


Contact Information
===================

    The TESO crew can be reached by mailing to tesopub@coredump.cx.
    Our web page is at http://teso.scene.at/

    C-Skills developers may be reached through [2].


References
===================

    [1] TESO
        http://teso.scene.at/

    [2] S. Krahmer, C-Skills
        http://www.cs.uni-potsdam.de/homepages/students/linuxer/


Disclaimer
===================

    This advisory does not claim to be complete or to be usable for
    any purpose. Especially information on the vulnerable systems may
    be inaccurate or wrong. The supplied exploit is not to be used
    for malicious purposes, but for educational purposes only.

    This advisory is free for open distribution in unmodified form.
    Articles that are based on information from this advisory should
    include link [1] and [2].


Exploit
===================

    We've created a working demonstration program to exploit the
vulnerability.

    The exploit is available from

       http://teso.scene.at/

    and
	
       http://www.cs.uni-potsdam.de/homepages/students/linuxer

- ------



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4yQ4QcZZ+BjKdwjcRAobJAJwO+vEtw5on/9obko1ozI7DywhbSwCgnG18
7aAhRDSSJr15f06W1Ei4b64=
=HrTR
-----END PGP SIGNATURE-----
(4889177) ------------------------------------------(Ombruten)

4901888 2000-03-15  06:31  /24 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <10226>
Kommentar till text 4889177 av Brevbäraren (som är implementerad i) Python
Ärende: Re: TESO advisory -- wmcdplay
------------------------------------------------------------
Previously krahmer@CS.UNI-POTSDAM.DE wrote:
> Systems Affected
> ===================
> 
>     Any system which has wmcdplay installed as setuid root. Though on most
>     popular system distributions wmcdplay is not installed by default, the
>     optional installation of it is always setuid root, hence affected by the
>     problem.

[.. snip snip ..]
 
>       Debian/GNU Linux 2.1, wmcdplay 1.0beta1-2

Unlike what you imply here Debian does not ship wmcdplay setuid root.

Wichert.

-- 
   ________________________________________________________________
 / Generally uninteresting signature - ignore at your convenience  \
| wichert@liacs.nl                    http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |
(4901888) ------------------------------------------