Bugtraq mailing list archives
Security Problems in XMCD
From: davem () iss net (David J. Meltzer)
Date: Mon, 25 Nov 1996 12:45:32 -0500
There are security holes in XMCD 2.0pl2 (and presumably all previous versions), a popular audio cd player for numerous unix platforms, which allow a user defined environment variable to overflow a fixed size buffer resulting in a complete compromise of system security on machines with XMCD installed suid root. The cddb_init() function reads in the environment variable XMCD_CDDBPATH, and parses out path names from it, dynamically allocating memory for each pathname as it is parsed. The cd_init() functions, which calls cddb_init(), then uses the structure with the dynamically allocated path string and copies it into a fixed length buffer with: sprintf(str, " %s", pathp->path); The str variable is defined in cd_init() as char str[FILE_PATH_SZ + 2]. Rob McMillan and Georgia Killcrece at CERT, and Ti Kan, the maintainer of XMCD, were made aware of this problem on November 19th. Any questions to CERT regarding this security hole should reference INFO#96.25542. Ti Kan says he has already fixed this problem in a new unreleased version of XMCD, although he was not aware until I explained it in detail that the problem could possibly exist. This new release, or a patch correcting this security problem, has not been made available to the public by Mr. Kan. Questions regarding XMCD should be sent to the maintainer at xmcd () amb org. Questions regarding CERT's emergency response or lack thereof to this security hole should be sent to cert () cert org. Questions regarding security can be sent to me at davem () iss net. Program: xmcd 2.0pl2 (and previous versions) Affected Operating Systems: All with xmcd installed suid root Requirements: account on system Patch: chmod -s xmcd Solution: rm -f xmcd; buy a Sony Discman(tm). Security Compromise: root Reported By: David J. Meltzer (davem () iss net) Synopsis: A buffer overflow in the XMCD_CDDBPATH environment variable allows a user to overwrite the contents of the stack and execute arbitrary code as root. [trad:davem] ~ >./bo --exists -e XMCD_CDDBPATH /usr/X11/bin/xmcd +++ Buffer Overflow Found in XMCD_CDDBPATH environment for /usr/X11/bin/xmcd. [trad:davem] ~ > To test if you are vulnerable to this hole, examine your system for xmcd suid root, and if it exists, fill the XMCD_CDDBPATH environment variable with a large number of characters (ie 'A'). Execute xmcd, if it results in a segmentation fault after a few seconds, you are likely vulnerable to this attack, and should remove the suid bit from xmcd. Exploits for this hole are left as an exercise to the reader. I am not providing a patch for xmcd that fixes this problem because I would not advocate running xmcd, or any other cd player, as suid root on a system regardless of if this or other known security vulnerabilities have been corrected. The probability of more security problems existing outweighs the benefit of being able to listen to music on the console for many situations, make an informed decision when running any program on your machine as root. --------------------------------+--------------------- David J. Meltzer | Email: davem () iss net Systems Engineer | Web: www.iss.net Internet Security Systems, Inc. | Fax: (770)395-1972
Current thread:
- Futile rexecd holes, (continued)
- Futile rexecd holes jaeger (Nov 18)
- Re: Futile rexecd holes Roger Espel Llima (Nov 19)
- Irix: new LicenseManager is safe? No way Yuri Volobuev (Nov 22)
- Re: Futile rexecd holes Jon Peatfield (Nov 22)
- Administratrivia Aleph One (Nov 22)
- Administratrivia Scriptors of DOOM (Nov 23)
- A Stupid script. Efrain Torres (Nov 22)
- A Stupid script. Aleph One (Nov 24)
- AIX lquerypv Aleph One (Nov 25)
- lquerypv fix Troy Bollinger (Nov 25)
- Security Problems in XMCD David J. Meltzer (Nov 25)
- FreeBSD Security Advisory: FreeBSD-SA-96:18.lpr FreeBSD Security Officer (Nov 25)
- Digital FW2.0 question Peter Dieth (Nov 26)
- Re: Digital FW2.0 question Alan Cox (Nov 27)
- Re: FreeBSD Security Advisory: FreeBSD-SA-96:18.lpr Warner Losh (Nov 26)
- XMCD v2.1 released (was: Security Problems in XMCD) Xmcd Admin (Nov 25)
- Security Problems in XMCD 2.1 David J. Meltzer (Nov 26)
- Re: Security Problems in XMCD 2.1 Theo Van Dinter (Nov 26)
- Re: Security Problems in XMCD 2.1 Jim Dennis (Nov 26)
- Re: Security Problems in XMCD 2.1 Alan Cox (Nov 27)
- Administratriva Aleph One (Nov 26)