Bugtraq mailing list archives

TESO & C-Skills development advisory -- kreatecd

From: krahmer () CS UNI-POTSDAM DE (Sebastian)
Date: Thu, 16 Mar 2000 14:40:35 +0100


This one is very strange.
I hate GUIS. Still ...

Sebastian.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------

TESO Security Advisory
2000/03/14 

kreatecd local root compromise


Summary
===================

    A vulnerability within the kreatecd application for Linux has been 
    discovered. An attacker can gain local root-access.


Systems Affected
===================

    Any system which has kreatecd installed as set-UID root.
    This affects also a configure; make; make install procedure.

    Among the vulnerable distributions (if the package is installed) are the
    following systems:

      Halloween Linux Version 4
      SuSE 6.x


Tests
===================

    [stealth@liane stealth]$ stat `which kreatecd`
      File: "/usr/bin/kreatecd"
      Size: 229068       Filetype: Regular File
      Mode: (4755/-rwsr-xr-x)         Uid: (    0/    root)  Gid: (    0/    root)
    Device:  3,1   Inode: 360053    Links: 1
    Access: Tue Mar 14 14:48:21 2000(00000.00:00:45)
    Modify: Tue Mar 14 14:48:21 2000(00000.00:00:45)
    Change: Tue Mar 14 14:48:21 2000(00000.00:00:45)
    [stealth@liane stealth]$ id
    uid=500(stealth) gid=500(stealth) groups=500(stealth)
    [stealth@liane stealth]$ /tmp/kreatur
    (... some diagnostic messages ...)
    Creating suid-maker...
    Creating boom-shell...

    Execute kreatecd and follow the menus:
    Configure -> Paths  -- change the path for cdrecord to /tmp/xxx
    Apply -> OK
    Configure -> SCSI -> OK

    Execute /tmp/boomsh

    
    BEHAVE!
       
    (poking around with GUI...)
    [stealth@liane stealth]$ /tmp/boomsh
    [root@liane stealth]# id
    uid=0(root) gid=500(stealth) groups=500(stealth)
    [root@liane stealth]#


Impact
===================

    An attacker may gain local root-access to a system where vulnerable 
    kreatecd package is installed. It might be difficult for an remote-
    attacker who gained local user-access due to the GUI-nature of
    the vulnerable program.
    I appreciate help with some tips how one can get an instant rootshell
    without clicking around.
    

Explanation
===================

    Kreatecd which runs with the saved user-id of 0 blindly trusts path's to
    cd-recording software given by unprivileged user.
    It then invokes this software with EUID of 0 when user just clicks a little
    bit around with the menus.


Solution
===================

    The author and the distributor has been informed before.
    Remove the suid bit of kreatecd.


Acknowledgments
================

    The bug-discovery and the demonstration programs are due to S. Krahmer [1].
    This advisory has been written by S. Krahmer.


Contact Information
===================

    The TESO crew can be reached by mailing to teso () coredump cx.
    Our web page is at https://teso.scene.at/
    
    C-Skills developers may be reached through [1].


References
===================

    [1] S. Krahmer, C-Skills
        http://www.cs.uni-potsdam.de/homepages/students/linuxer/

    [2] TESO
        http://teso.scene.at or https://teso.scene.at/
        

Disclaimer
===================

    This advisory does not claim to be complete or to be usable for any
    purpose. Especially information on the vulnerable systems may be
    inaccurate or wrong. The supplied exploit is not to be used for malicious
    purposes, but for educational purposes only.

    This advisory is free for open distribution in unmodified form.
    Articles that are based on information from this advisory should include
    link [1] and [2].


Exploit
===================

    We've created a working demonstration program to exploit the vulnerability.

    The exploit is available from

       http://teso.scene.at/ or https://teso.scene.at/

    and
        
       http://www.cs.uni-potsdam.de/homepages/students/linuxer

- ------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4zpvYcZZ+BjKdwjcRAtukAJwLRMYT1S2FLZriifUmm+vnVznSfQCgk4m9
9FRbu1gyyI6rbR38XP1F+sk=
=L5Ak
-----END PGP SIGNATURE-----

Current thread:

Re: Exploit for Mandrake 6.1 (PAM/userhelper bug), (continued)
- - - Re: Exploit for Mandrake 6.1 (PAM/userhelper bug) Darron Froese (Mar 17)
    - Re: Exploit for Mandrake 6.1 (PAM/userhelper bug) Matt Davis (Mar 17)
    - Re: Exploit for Mandrake 6.1 (PAM/userhelper bug) Jeremy Gault (Mar 21)
  - Oracle Web Listener 4.0.x Cerberus Security Team (Mar 14)
  - Re: Advisory Update: ServerIron TCP/IP predictability fixed H D Moore (Mar 14)
    - Re: Advisory Update: ServerIron TCP/IP predictability fixed Max Vision (Mar 16)
    - FreeBSD Security Advisory: FreeBSD-SA-00:07.mh [REVISED] FreeBSD Security Officer (Mar 19)
  - Bypassing IP filters in Bordermanager 3.5 Roy Sigurd Karlsbakk (Mar 15)
  - Local / Remote DoS Attack in MERCUR WebView WebMail-Client 1.0 for Windows 98/NT Vulnerability Ussr Labs (Mar 15)
  - Certificate Validation Error in Netscape Browsers... Dennis W. Mattison (Little Wolf) (Mar 15)
  - TESO & C-Skills development advisory -- kreatecd Sebastian (Mar 16)
  - Trend Micro release patch for "OfficeScan DoS & Message Replay" V ulnerabilies Richard Sheng (Mar 16)
- Re: TESO advisory -- wmcdplay Wichert Akkerman (Mar 13)