Cdrtools Flaw in 'rscsi' Lets Local Users Modify Root-Owned Files to Grab Root Privileges
|
|
SecurityTracker Alert ID: 1007368 |
|
SecurityTracker URL: http://securitytracker.com/id/1007368
|
|
CVE Reference:
CAN-2003-0655
(Links to External Site)
|
Updated: Aug 6 2003
|
Original Entry Date: Aug 1 2003
|
Impact:
Modification of system information, Root access via local system
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 2.01a18
|
Description:
A vulnerability was reported in cdrtools in the 'rscsi' binary. A local user can obtain root privileges.
Secure Network Operations Strategic Reconnaissance Team reported that the 'rscsi' helper application is configured with set user id (setuid) root user privileges and contains a flaw. The flaw reportedly allows a local user to cause root-owned files to be overwritten.
A local user can supply a specially crafted command line parameter to rscsi to cause the application to create an arbitrary root-owned debug file, overwriting a user-specified file, according to the report.
|
Impact:
A local user can overwrite files on the system with root level privileges to gain root access on the system.
|
Solution:
The vendor has reportedly released a fixed development version (2.01a18), available at:
ftp://ftp.berlios.de/pub/cdrecord/alpha/cdrtools-2.01a18.tar.gz
The author of the report has indicated that, as a workaround, you can remove the setuid bit from the affected application:
chmod -s /opt/schily/sbin/rscsi
|
Vendor URL: www.fokus.fhg.de/research/cc/glone/employees/joerg.schilling/private/cdrecord.html (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 01 Aug 2003 14:24:51 +0000
Subject: [VulnWatch] SRT2003-08-01-0126 - cdrtools-2.x local root exploit
|
cdrtools-2.x contains a binary that can provide local root access for a
non root user.
http://www.secnetops.com/research/advisories/SRT2003-08-01-0126.txt
-KF
|
|
