Date: Sat, 11 Mar 2000 06:32:17 -0800
From: krahmer@CS.UNI-POTSDAM.DE
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: TESO advisory -- atsadc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------
TESO Security Advisory
09/03/2000
atsadc local root compromise
Summary
The atsar application contains an exploitable vulnerability.
The Halloween 4 Linux distribution, which is based on RedHat 6.1 is
shipped with this suid-root program. It might be used to gain superuser
privileges.
Systems Affected
Halloween 4 Linux distribution, maybe others too.
Any system that has atsar-linux-1.4.2 package installed.
Tests
liane:[bletchley]> id -a
uid=501(bletchley) gid=501(bletchley) groups=501(bletchley)
liane:[bletchley]> uname -a
Linux liane.c-skills.de 2.2.13-13 #21 Thu Mar 2 10:36:13 WET 2000 i686 unknown
liane:[bletchley]> stat `which atsadc`
File: "/usr/sbin/atsadc"
Size: 16000 Filetype: Regular File
Mode: (4755/-rwsr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Device: 3,1 Inode: 117038 Links: 1
Access: Thu Mar 9 10:09:37 2000(00000.01:02:49)
Modify: Tue Nov 9 23:57:50 1999(00120.11:14:36)
Change: Tue Mar 7 14:55:23 2000(00001.20:17:03)
liane:[bletchley]> cd atsar-hack/
liane:[atsar-hack]> ./ass.pl
Creating hijack-lib ...
Compiling hijack-lib ...
Compile shell ...
Invoking vulnerable program (atsadc)...
sh: error in loading shared libraries:
sh: error in loading shared libraries:
Welcome. But as always: BEHAVE!
sh-2.03# id -a
uid=0(root) gid=0(root) groups=501(bletchley)
sh-2.03#
We've created a full working root-exploit which can be obtained from
[1] or [2].
To work properly the /etc/ld.so.preload file must not exist.
If it already exist, attackers may use other config-files to gain
root access.
Impact
The vulnerable program 'atsadc' is shipped on the power-tools/contrib
CD and comes per default suid root (package "atsar-linux").
Attackers might use this program with obscure command-line-options to
gain locally root-access.
Explanation
Atsadc doesn't properly check permissions of the output-file given
on the command-line. Rather it opens the file without the O_EXCL flag,
allowing an attacker to overwrite any file he wishes.
Due to the nice mode of 0664 an attacker may even create new files where
he has write-access too (group -rw).
In interaction with other linux 'system-tools' he can gain root-access.
Solution
Remove the suid-bit.
The vendor and the author has been informed before, so a patch is already
available.
Acknowledgments
================
The bug-discovery, further analyzation and the exploit was done by
S. Krahmer -- http://www.cs.uni-potsdam.de/homepages/students/linuxer/
This advisory has been written S. Krahmer
Contact Information
The TESO crew can be reached by mailing to tesopub@coredump.cx.
Our web-page is at http://teso.scene.at/
"C-Skills" developers may be reached through [1].
References
[1] S. Krahmer, C-Skills
http://www.cs.uni-potsdam.de/homepages/students/linuxer/
[2] TESO
http://teso.scene.at
Disclaimer
This advisory does not claim to be complete or to be usable for any
purpose. Especially information on the vulnerable systems may be
inaccurate or wrong. The supplied exploit is not to be used for malicious
purposes, but for educational purposes only.
This advisory is free for open distribution in unmodified form.
Articles that are based on information from this advisory should include
link [1] and [2].
Exploit
We've created a working exploit to demonstrate the vulnerability.
The exploit is available on either
http://teso.scene.at/
or
http://www.cs.uni-potsdam.de/homepages/students/linuxer/
- ------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE4yQ3AcZZ+BjKdwjcRAiUIAJ0Y9ImuZ1tqcc/L9QL2z83PfAnZpwCeIEsP
jbEGQVclXZXC3espkFZzr0Y=
=2WIN
-----END PGP SIGNATURE-----
