suidat_private - Corel xconf utils local root (among others) vulnerability. Advisory Author: suidat_private Software: Corel Linux 1.0 xconf utilities URL: http://linux.corel.com Version: Version 1.0 Platforms: Corel Linux only. Summary: Local users can take advantage of lack of input validation and the lack of privilege dropping to gain root access, or perform a denial of service attack on Corel Linux systems. Vulnerabilities: There are multiple vulnerabilities. I know I have missed some here. For example, I saw some /tmp files being used with the return value of time(NULL) as an attempt at selecting a unique filename. I haven't written these up here however. (1) Appending garbage XF86Config data to any file on the system /sbin/buildxconf does no input validation and is setuid root. Invoking it with the -f argument, a user can specify a filename to output to. Example /etc/shadow. (2) Replacing the first line of any existing file with garbage. As above, no input validation. When invoked with the -x command buildxconf replaces the first line of the specified file with the path/filename of an X server. An effective denial of service against /etc/passwd root account. (3) Create root owned world writable files anywhere on the file system. Again, buildxconf does no input validation or directory permission checks. specifying -x or -f on a non existent filename creates that file mode 0666. Set your umask to 0. (4) Executing arbitrary commands with euid root. A touch different. /sbin/setxconf allows users to test X configs with the -T switch. This process eventually invokes xinit with euid root. A quick look at the xinit man page will tell you that xinit looks at ~/.xserverrc and will execute things in there while starting. In the interests of keeping this post short I have left the rest of this advisory off. If your interested in exploit/workaround information visit: http://www.suid.kg/advisories/007.txt Regards, suidat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:37:13 PDT