cdrecord RSH Environment Variable Local Privilege Escalation

2004-08-31T00:00:00
ID OSVDB:9779
Type osvdb
Reporter Max Vozeler(max@linux.de)
Modified 2004-08-31T00:00:00

Description

Vulnerability Description

CDRTools' cdrecord is vulnerable to an RSH environment variable local privilege escalation vulnerability. This issue is due to cdrecord not dropping privileges before executing a program specified by the user via the "RSH" environment variable. Due to cdrecord being generally installed suid root, an attacker may leverage this behavior to gain superuser privileges on a system running the affected software.

Solution Description

Upgrade to version 2.01.x or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): -Remove the suid bit from the cdrecord binary.

Short Description

CDRTools' cdrecord is vulnerable to an RSH environment variable local privilege escalation vulnerability. This issue is due to cdrecord not dropping privileges before executing a program specified by the user via the "RSH" environment variable. Due to cdrecord being generally installed suid root, an attacker may leverage this behavior to gain superuser privileges on a system running the affected software.

References:

Vendor URL: http://www.fokus.gmd.de/research/cc/glone/employees/joerg.schilling/private/cdrecord.html Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Security Tracker: 1011091 Secunia Advisory ID:14894 Secunia Advisory ID:17645 Secunia Advisory ID:19532 Secunia Advisory ID:12481 Other Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200409-18.xml Other Advisory URL: http://fedoranews.org/updates/FEDORA-2004-297.shtml Other Advisory URL: ftp://patches.sgi.com/support/free/security/advisories/20060401-01.U.asc Other Advisory URL: http://www.turbolinux.com/security/2004/TLSA-2004-26.txt Other Advisory URL: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:091 Other Advisory URL: http://fedoranews.org/updates/FEDORA-2004-298.shtml Other Advisory URL: ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.20/SCOSA-2005.20.txt Nessus Plugin ID:14746 Nessus Plugin ID:14680 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0319.html Keyword: SCOSA-2005.49 ISS X-Force ID: 17303 Generic Exploit URL: http://www.caughq.org/exploits/CAU-EX-2004-0002.txt Generic Exploit URL: http://www.securityfocus.com/data/vulnerabilities/exploits/readcd-exp.sh Generic Exploit URL: http://www.securityfocus.com/data/vulnerabilities/exploits/cdr-exp.sh CVE-2004-0806 CERT VU: 700326 Bugtraq ID: 11075