Bugtraq mailing list archives

TESO advisory -- atsadc

From: krahmer () CS UNI-POTSDAM DE (krahmer () CS UNI-POTSDAM DE)
Date: Sat, 11 Mar 2000 06:32:17 -0800


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------

TESO Security Advisory
09/03/2000

atsadc local root compromise

Summary
===================

    The atsar application contains an exploitable vulnerability.

    The Halloween 4 Linux distribution, which is based on RedHat 6.1 is
    shipped with this suid-root program. It might be used to gain superuser
    privileges.

Systems Affected
===================

    Halloween 4 Linux distribution, maybe others too.
    Any system that has atsar-linux-1.4.2 package installed.

Tests
===================

    liane:[bletchley]> id -a
    uid=501(bletchley) gid=501(bletchley) groups=501(bletchley)
    liane:[bletchley]> uname -a
    Linux liane.c-skills.de 2.2.13-13 #21 Thu Mar 2 10:36:13 WET 2000 i686 unknown
    liane:[bletchley]> stat `which atsadc`
      File: "/usr/sbin/atsadc"
      Size: 16000        Filetype: Regular File
      Mode: (4755/-rwsr-xr-x)         Uid: (    0/    root)  Gid: (    0/    root)
    Device:  3,1   Inode: 117038    Links: 1
    Access: Thu Mar  9 10:09:37 2000(00000.01:02:49)
    Modify: Tue Nov  9 23:57:50 1999(00120.11:14:36)
    Change: Tue Mar  7 14:55:23 2000(00001.20:17:03)
    liane:[bletchley]> cd atsar-hack/
    liane:[atsar-hack]> ./ass.pl
    Creating hijack-lib ...
    Compiling hijack-lib ...
    Compile shell ...
    Invoking vulnerable program (atsadc)...
    sh: error in loading shared libraries:
    sh: error in loading shared libraries:
    Welcome. But as always: BEHAVE!
    sh-2.03# id -a
    uid=0(root) gid=0(root) groups=501(bletchley)
    sh-2.03#

    We've created a full working root-exploit which can be obtained from
    [1] or [2].
    To work properly the /etc/ld.so.preload file must not exist.
    If it already exist, attackers may use other config-files to gain
    root access.

Impact
===================

    The vulnerable program 'atsadc' is shipped on the power-tools/contrib
    CD and comes per default suid root (package "atsar-linux").
    Attackers might use this program with obscure command-line-options to
    gain locally root-access.

Explanation
===================

    Atsadc doesn't properly check permissions of the output-file given
    on the command-line. Rather it opens the file without the O_EXCL flag,
    allowing an attacker to overwrite any file he wishes.
    Due to the nice mode of 0664 an attacker may even create new files where
    he has write-access too (group -rw).
    In interaction with other linux 'system-tools' he can gain root-access.

Solution
===================

    Remove the suid-bit.
    The vendor and the author has been informed before, so a patch is already
    available.

Acknowledgments
================

    The bug-discovery, further analyzation and the exploit was done by

    S. Krahmer -- http://www.cs.uni-potsdam.de/homepages/students/linuxer/

    This advisory has been written S. Krahmer

Contact Information
===================

    The TESO crew can be reached by mailing to tesopub () coredump cx.
    Our web-page is at http://teso.scene.at/

    "C-Skills" developers may be reached through [1].

References
===================

    [1] S. Krahmer, C-Skills
        http://www.cs.uni-potsdam.de/homepages/students/linuxer/

    [2] TESO
        http://teso.scene.at

Disclaimer
===================

    This advisory does not claim to be complete or to be usable for any
    purpose. Especially information on the vulnerable systems may be
    inaccurate or wrong. The supplied exploit is not to be used for malicious
    purposes, but for educational purposes only.

    This advisory is free for open distribution in unmodified form.
    Articles that are based on information from this advisory should include
    link [1] and [2].

Exploit
===================

    We've created a working exploit to demonstrate the vulnerability.

    The exploit is available on either

       http://teso.scene.at/
    or
       http://www.cs.uni-potsdam.de/homepages/students/linuxer/

- ------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4yQ3AcZZ+BjKdwjcRAiUIAJ0Y9ImuZ1tqcc/L9QL2z83PfAnZpwCeIEsP
jbEGQVclXZXC3espkFZzr0Y=
=2WIN
-----END PGP SIGNATURE-----

Current thread:

Re: a few bugs ..., (continued)
- - - Re: a few bugs ... Michal Zalewski (Mar 17)
    - Patch: ip_masq_ftp / Linux 2.2.x (extended FTP ALG vulnerabilty) Bjarni R. Einarsson (Mar 20)
    - Microsoft Security Bulletin (MS00-018 Microsoft Product Security (Mar 20)
    - Re: a few bugs ... Coke (Mar 20)
    - Re: a few bugs ... Daniel Jacobowitz (Mar 20)
    - Re: a few bugs ... Michal Zalewski (Mar 20)
    - DoS with NAVIEG PAUL VanDyke (Mar 17)
    - [ANNOUNCE] strace for NT tsabin () RAZOR BINDVIEW COM (Mar 13)
    - Linux patch for blocking buffer overflow based attacks massimo () IAC RM CNR IT (Mar 10)
    - ICQ remote DoS Philip Stoev (Mar 10)
  - TESO advisory -- atsadc krahmer () CS UNI-POTSDAM DE (Mar 11)
  - Re: [ Hackerslab bug_paper ] Linux printtool get printer passwor Brian Knotts (Mar 13)
- Enumerate Root Web Server Directory Vulnerability for IIS 4.0 Jason Lutz (Mar 09)
  - Re: Enumerate Root Web Server Directory Vulnerability for IIS 4.0 Chris Paget (Mar 17)
  - SQL Server Vulnerability details Chip Andrews (Mar 18)
- Re: PGP Signatures security BUG! Florian Weimer (Mar 10)
  - Re: PGP Signatures security BUG! Will Price (Mar 20)
  - Esafe Protect Gateway (CVP) does not scan virus under some conditions Hugo.van.der.Kooij () CAIW NL (Mar 21)
    - Re: Esafe Protect Gateway (CVP) does not scan virus under some conditions Alon Rotem (Mar 24)
  - Security bug in Apache project: Jakarta Tomcat Jan Madsen (Mar 21)
  - [TL-Security-Announce] nmh-1.0.2 and earlier TLSA200008-1 Katie Moussouris (Mar 21)

(Thread continues...)