Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Subject: TESO & C-Skills development advisory -- kreatecd
From: Sebastian (krahmerCS.UNI-POTSDAM.DE)
Date: Thu Mar 16 2000 - 07:40:35 CST
- Next message: Thomas Roessler: "Re: a few bugs ..."
- Previous message: Roy Sigurd Karlsbakk: "Bypassing IP filters in Bordermanager 3.5"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This one is very strange.
I hate GUIS. Still ...
-----BEGIN PGP SIGNED MESSAGE-----
TESO Security Advisory
kreatecd local root compromise
A vulnerability within the kreatecd application for Linux has been
discovered. An attacker can gain local root-access.
Any system which has kreatecd installed as set-UID root.
This affects also a configure; make; make install procedure.
Among the vulnerable distributions (if the package is installed) are the
Halloween Linux Version 4
[stealthliane stealth]$ stat `which kreatecd`
Size: 229068 Filetype: Regular File
Mode: (4755/-rwsr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Device: 3,1 Inode: 360053 Links: 1
Access: Tue Mar 14 14:48:21 2000(00000.00:00:45)
Modify: Tue Mar 14 14:48:21 2000(00000.00:00:45)
Change: Tue Mar 14 14:48:21 2000(00000.00:00:45)
[stealthliane stealth]$ id
uid=500(stealth) gid=500(stealth) groups=500(stealth)
[stealthliane stealth]$ /tmp/kreatur
(... some diagnostic messages ...)
Execute kreatecd and follow the menus:
Configure -> Paths -- change the path for cdrecord to /tmp/xxx
Apply -> OK
Configure -> SCSI -> OK
(poking around with GUI...)
[stealthliane stealth]$ /tmp/boomsh
[rootliane stealth]# id
uid=0(root) gid=500(stealth) groups=500(stealth)
An attacker may gain local root-access to a system where vulnerable
kreatecd package is installed. It might be difficult for an remote-
attacker who gained local user-access due to the GUI-nature of
the vulnerable program.
I appreciate help with some tips how one can get an instant rootshell
without clicking around.
Kreatecd which runs with the saved user-id of 0 blindly trusts path's to
cd-recording software given by unprivileged user.
It then invokes this software with EUID of 0 when user just clicks a little
bit around with the menus.
The author and the distributor has been informed before.
Remove the suid bit of kreatecd.
The bug-discovery and the demonstration programs are due to S. Krahmer .
This advisory has been written by S. Krahmer.
The TESO crew can be reached by mailing to tesocoredump.cx.
Our web page is at https://teso.scene.at/
C-Skills developers may be reached through .
 S. Krahmer, C-Skills
http://teso.scene.at or https://teso.scene.at/
This advisory does not claim to be complete or to be usable for any
purpose. Especially information on the vulnerable systems may be
inaccurate or wrong. The supplied exploit is not to be used for malicious
purposes, but for educational purposes only.
This advisory is free for open distribution in unmodified form.
Articles that are based on information from this advisory should include
link  and .
We've created a working demonstration program to exploit the vulnerability.
The exploit is available from
http://teso.scene.at/ or https://teso.scene.at/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----