Re: LOCAL ROOT EXPLOIT - SUPPORT FULL-DISCLOSURE - LOCAL ROOT EXPLOIT

From: Olaf Kirch (okirat_private)
Date: Mon Jul 08 2002 - 04:03:04 PDT

Next message: Skot: "Re: Google lists vulnerable sites."

Previous message: Craig, Scott: "RE: Default passwords for TSO and CICS ?"
In reply to: kanix THE HACKER: "LOCAL ROOT EXPLOIT - SUPPORT FULL-DISCLOSURE - LOCAL ROOT EXPLOIT"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Disclaimer - I investigated this issue on SuSE, not RedHat, so
the situation there may be somewhat different.

On Sun, Jul 07, 2002 at 09:43:06PM +0000, kanix THE HACKER wrote:
> This is a local exploit for a format string vulnerability in
> /usr/bin/artswrapper on Red Hat Linux release 7.2 (Enigma).

Hm. I am not quite sure why this exploit should give you a root shell
(unless RedHat made artsd setuid root, too).

artswrapper does a seteuid(getuid()) which sets the effective uid back
to that of the caller. Then it calls execv(/opt/.../artsd).  The execv
call takes care of the saved uid. So what you get is a shell running
with realtime scheduling priority, but no root privilege.

For what it's worth, there are simpler methods to obtain a process with
RT-privilege using artsd. Compile the attached program as /tmp/lalla
and check:

	$ artswrapper -m /tmp/lalla -a foo
	>> running as realtime process now (priority 50)
	Current scheduling policy is FIFO

Which is disturbing, but a far cry from root privileges as claimed
in the original posting.

Apart from that, artsd has a load of other ways to break it. Unchecked
vsprintf calls in arts/mcop/debug.cc for instance. But given that
artsd is linked against 16 shared libraries I'm sure there are
at least that many different ways to exploit it.

Fortunately, KDE seems to have picked up the habit of protecting the
directory in which the mcop communication socket resides so that
no-one except the user running artsd can connect.

If I am not mistaken, the original intention of giving artsd real-
time scheduling policy was to make sure that sound data was being
fed to the sound device with a low latency; which is important for
many sound cards which have ridiculously small buffers. It seems
though that artsd has mutated into something much bigger in the
meantime; maybe it's time to consider whether one shouldn't split
off the part feeding the audio device...

Olaf
-- 
Olaf Kirch     |  Anyone who has had to work with X.509 has probably
okirat_private   |  experienced what can best be described as
---------------+  ISO water torture. -- Peter Gutmann

text/plain attachment: lalla.c

Next message: Skot: "Re: Google lists vulnerable sites."
Previous message: Craig, Scott: "RE: Default passwords for TSO and CICS ?"
In reply to: kanix THE HACKER: "LOCAL ROOT EXPLOIT - SUPPORT FULL-DISCLOSURE - LOCAL ROOT EXPLOIT"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 08 2002 - 09:35:56 PDT