Bugtraq mailing list archives

cdrdao insecure filehandling

From: Jens Steube <jsteube () lastflood com>
Date: Sun, 13 Jan 2002 00:09:20 +0100 (CET)


--[ Description ]--

There are several security-related Bugs in the distributed 
Debian (SID) Package of CDRDAO, a program to write audio or mixed 
mode CD-Rs in disk-at-once mode. /usr/bin/cdrdao is setuid-Root 
by default.


--[ Version ]--

Name: Cdrdao 
Version: 1.1.5 
Autor: Andreas Mueller <andreas () daneb de>


--[ Impact ]--

Local users can gain unauthorized root access to the system.


--[ Legal ]--

The information in this advisory may be distributed or 
reproduced, provided that the advisory is not modified in any way.
The Autor makes no warranties of any kind to the information 
contained in this security advisory.


--[ Bugs ]--

Cdrdao doesnt check for permissions when it trys to open a file
as its "toc-file". So it was possible to open all Files on the
System, but it skips the Output on its Error-Message. Maybe it is
possible to trick to read all these Files. As i tested around to 
trick i found another Bug.

This more important Bug is that cdrdao can also write a 
configfile which is written to "$HOME/.cdrdao". it is written by 
the Root-User and not as the User who starts cdrdao. It is possible 
to include data on the written configfile and so it is possible to 
gain root via a symlink-attack on $HOME/.cdrdao

After i found these Bugs i stopped to search for more Bugs.


--[ Fix ]--

Not tried to fix. 

The Autor, the Debian Package Maintainer and the Debian 
Bugtracking System (#127930) where informed one week before
this Post, but there was no response.


--[ Tested on ]--

Debian GNU/Linux SID on i386, installed gcc and running cron


--[ Credits ]--

Found and exploited by Jens "atomi" Steube.

Greets go out to: impulse, symbiont, mot, para, sharkking, kartan 
and all other friend on #altoetting and #perl.de on ircnet.


--[ Proof of concept exploit ]--

The attached exploit is designed for the Debian (SID) Package 
and not tested on other Systems. 



Regards,

Jens Steube
jsteube () lastflood com

Attachment: cdrdaohack.sh
Description:

Current thread:

cdrdao insecure filehandling Jens Steube (Jan 14)
- Re: cdrdao insecure filehandling Guillaume PELAT (Jan 15)
- Re: cdrdao insecure filehandling Anthony DeRobertis (Jan 15)
  - Re: cdrdao insecure filehandling martin f krafft (Jan 16)
    - Re: cdrdao insecure filehandling Luciano Miguel Ferreira Rocha (Jan 17)
    - Re: cdrdao insecure filehandling Pavel Kankovsky (Jan 21)