lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 14 Sep 2004 15:56:10 +0200
From: LSS Security <exposed@....hr>
To: bugtraq@...urityfocus.com
Subject: SUS 2.0.2 local root vulnerability


                           LSS Security Advisories
			   http://security.lss.hr
			   
			   
			   	
---

Title			: SUS 2.0.2 local root vulnerability
Advisory ID		: LSS#2004-09-01
Date			: September 14th, 2004 
Advisory URL:		: http://security.lss.hr/index.php?page=details&ID=LSS-2004-09-01
Impact			: Any user can obtain root privileges
Risk level		: High 
Vulnerability type	: Local
Vendors contacted	: GENTOO Linux and Peter D. Gray (SUS author), Contact date: September 13th, 2004


---


==[ Overview 

SUS is a suid root program that allows ordinary users the execution of certain 
programs with superuser privileges. SUS relatives are super, sudo and calife. SUS is 
run by default as setuid root.



==[ Vulnerability

There is a very simple format string bug in log() function that allows any local
user to gain root privileges. Format string vulnerability is a result of an incorrect 
syslog() function call, and can be exploited directly from the command line.

log.c:
--------

void
log(char * msg)
{
...
                openlog(ident, LOG_PID|LOG_CONS, facility);
                syslog(level,msg);                            // <- VULNERABILITY
...
}
--------



==[ Affected versions

The exploitation of this vulnerability was successfully tested on SUS version 2.0.2.



==[ Fix

GENTOO Linux has released a patched version - sus-2.0.2-r1.

There is also a fixed version on sus homepage:
http://pdg.uow.edu.au/sus/sus-2.0.6.tar.Z



==[ PoC Exploit

Proof of concept code can be downloaded at http://security.lss.hr/PoC/.



==[ Credits

This vulnerability was found by Leon Juranic (ljuranic@....hr).



==[ LSS Security Contact
 
 LSS Security Team, <eXposed by LSS>
 WWW    : http://security,lss.hr
 E-mail : security@....hr
 Tel	: +385 1 6129 775

Powered by blists - more mailing lists