OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: David Endler (dendler_at_idefense.com)
Date: Wed Aug 28 2002 - 10:58:53 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    iDEFENSE Security Advisory 08.28.2002
    Linuxconf locally exploitable buffer overflow vulnerability

    DESCRIPTION

    A vulnerability exists in linuxconf which if the
    LINUXCONF_LANG environment variable processes at least 964
    bytes of data, a buffer overflow occurs, thereby allowing an
    attacker to modify the return address of the function and
    execute arbitrary code with root permissions. iDEFENSE has an
    exploit that allows a local user to launch a root shell on Red
    Hat Linux 7.3 by targeting the latest version of linuxconf
    1.28r3.

    ANALYSIS

    According to the author of Linuxconf, Jacques Gelinas
    jacksolucorp.qc.ca, "linuxconf picks the variable and uses it
    to format a path using snprintf. This works fine. In fact, the
    receiving buffer is PATH_MAX large so even a 1000 characters
    variable won't overflow it and even if this was the case,
    snprintf would do its work.

    Once the path is formatted, the corresponding file is opened.
    If the file do not exist, an error message is formatted in a
    string. This was the problem and sprintf was used instead of
    snprintf there.

    There are two fixes. One is to use snprintf to format error
    message at this place and the other is to look for appropriate
    length for this variable (max 5 characters) immediately when it
    is found."

    DETECTION

    This vulnerability affects any version of linuxconf
    (essentially 6 years worth of distributions) that is installed
    setuid root. Generally, the four ways in which this utility
    can be installed setuid are:

    1.) Shipped by vendor (Red Hat does not ship linuxconf
    setuid, but Mandrake does as do other linux vendors)
    2.) Installed by RPM from the main site
    (http://www.solucorp.qc.ca/linuxconf/) for each particular
    linux OS (installs setuid root by default)
    3.) Installed by source code also from main site
    (http://www.solucorp.qc.ca/linuxconf/) but prompts for whether
    to install setuid root
    4.) Installed in ways 1, 2, or 3 and manually set to setuid
    root by the user for added functionality.

    WORKAROUND

    Remove the setuid bit from the linuxconf binary:

    $ chmod u-s /bin/linuxconf

    VENDOR RESPONSE

    iDEFENSE immediately contacted Jacques Gelinas and he provided
    a source code patch. iDEFENSE verified that the vulnerability
    is mitigated in the newer distribution (1.28r4) of linuxconf.

    An updated version (1.28r4) of linuxconf which addresses this
    vulnerability will be available on August 28, 2002 at
    http://www.solucorp.qc.ca/linuxconf/ .

    Affected Linux vendors will make updates available
    August 28th, 2002.

    DISCLOSURE TIMELINE

    August 9, 2002 - Exclusively disclosed to iDEFENSE
    August 19, 2002 - Disclosed to Vendor
    August 19, 2002 - Disclosed to iDEFENSE clients
    August 21, 2002 - Announcement to vendor-seclst.de
    August 28, 2002 - Coordinated public disclosure by Linux vendors,
            Linuxconf maintainer, and iDEFENSE

    CREDIT

    This issue was exclusively disclosed to iDEFENSE by Euan Briggs
    (euan_briggsbtinternet.com)

    http://www.idefense.com/contributor.html

    - - -dave

    David Endler, CISSP
    Director, Technical Intelligence
    iDEFENSE, Inc.
    14151 Newbrook Drive
    Suite 100
    Chantilly, VA 20151
    voice: 703-344-2632
    fax: 703-961-1071

    dendleridefense.com
    www.idefense.com

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.1.1

    iQA/AwUBPWzPr0rdNYRLCswqEQK4BQCfRNs+pQacI3q7eFNibtkQ8CQ+OlQAoOil
    L8EJZISNsIFSig7PD4Uip392
    =SStn
    -----END PGP SIGNATURE-----