lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5373C042.3070405@gmx.net>
Date: Wed, 14 May 2014 21:13:06 +0200
From: Martin von Gagern <Martin.vGagern@....net>
To: fulldisclosure@...lists.org
Subject: [FD] eInstruction Workspace sudo vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi!

eInstruction sells, among others, electronic whiteboards. They also
provide Linux software for these, including a user land driver of
sorts called Workspace. If the installation of that software succeeds,
it will change /etc/sudoers to add the following two lines:

ALL ALL=(ALL) NOPASSWD :
  /opt/eInstruction/DeviceManager/jre/bin/java -Djava.library.path\=.
  -classpath ./dm.jar\:./*\:./axis2-1.5/* einstruction.dm.ui.Main
Defaults env_keep += "DISPLAY XAUTHORITY XAUTHLOCALHOSTNAME"

The problem here is that the first command allows anyone to run pretty
much anything as root: simply place a dm.jar in the current directory
before executing the named command, and the named class inside it will
get executed. The intention is of course to run the shipped jar with
full privileges, but the command does not check the current working
directory or use an absolute path.

I've informed developers of this issue on 2013-12-07, in their problem
report #51647. I included a statement of my plans to disclose this
issue, but unfortunately forgot to actually do so. 2014-04-22 got the
first response: "I will pass this information to along to our
developers". Apparently no progress since then.

I guess a manual fix would be replacing all relative paths by absolute
ones. Not sure how secure the java code itself is, but the sudo
problem should be avoidable that way.

Greetings,
 Martin von Gagern
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlNzwEIACgkQRhp6o4m9dFu7wgCfePQEKvizjypyiiDc7/xb3P9A
WhwAnA1qQWs9W6fwo/grjTzgbEq5wpA1
=jpCp
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ