Back to list
SUS 2.0.2 local root vulnerability
Sep 14 2004 01:56PM
LSS Security (exposed lss hr)
LSS Security Advisories
Title : SUS 2.0.2 local root vulnerability
Advisory ID : LSS#2004-09-01
Date : September 14th, 2004
Advisory URL: : http://security.lss.hr/index.php?page=details&ID=LSS-2004-09-01
Impact : Any user can obtain root privileges
Risk level : High
Vulnerability type : Local
Vendors contacted : GENTOO Linux and Peter D. Gray (SUS author), Contact date: September 13th, 2004
SUS is a suid root program that allows ordinary users the execution of certain
programs with superuser privileges. SUS relatives are super, sudo and calife. SUS is
run by default as setuid root.
There is a very simple format string bug in log() function that allows any local
user to gain root privileges. Format string vulnerability is a result of an incorrect
syslog() function call, and can be exploited directly from the command line.
log(char * msg)
openlog(ident, LOG_PID|LOG_CONS, facility);
syslog(level,msg); // <- VULNERABILITY
==[ Affected versions
The exploitation of this vulnerability was successfully tested on SUS version 2.0.2.
GENTOO Linux has released a patched version - sus-2.0.2-r1.
There is also a fixed version on sus homepage:
==[ PoC Exploit
Proof of concept code can be downloaded at http://security.lss.hr/PoC/.
This vulnerability was found by Leon Juranic (ljuranic (at) LSS (dot) hr [email concealed]).
==[ LSS Security Contact
LSS Security Team, <eXposed by LSS>
WWW : http://security,lss.hr
E-mail : security (at) LSS (dot) hr [email concealed]
Tel : +385 1 6129 775
[ reply ]
Copyright 2010, SecurityFocus