- ------

TESO Security Advisory
03/09/2000

wmcdplay local root compromise


Summary
===================

    A vulnerability within the wmcdplay CD playing application for the
    WindowMaker desktop has been discovered. It allows local root compromise
    through arbitrary code execution.


Systems Affected
===================

    Any system which has wmcdplay installed as setuid root. Though on most
    popular system distributions wmcdplay is not installed by default, the
    optional installation of it is always setuid root, hence affected by the
    problem.

    Please note that wmcdplay doesn't require WindowMaker as its desktop,
    so even if you haven't installed WindowMaker you may be vulnerable.

    Among the vulnerable distributions (if the package is installed) are the
    following systems:

      Debian/GNU Linux 2.1, wmcdplay 1.0beta1-2
      Halloween Linux Version 4


Tests
===================


    liane:[bletchley]> id -a
    uid=501(bletchley) gid=501(bletchley) groups=501(bletchley)
    liane:[bletchley]> cd wmhack/
    liane:[wmhack]> uname -a
    Linux liane.c-skills.de 2.2.13-13 #21 Thu Mar 2 10:36:13 WET 2000 i686 unknown
    liane:[wmhack]> stat `which wmcdplay`
      File: "/usr/X11R6/bin/wmcdplay"
      Size: 38372        Filetype: Regular File
      Mode: (4755/-rwsr-xr-x)         Uid: (    0/    root)  Gid: (    0/    root)
    Device:  3,1   Inode: 213954    Links: 1
    Access: Sat Mar  4 14:21:43 2000(00004.20:34:20)
    Modify: Thu Nov 11 09:59:00 1999(00119.00:57:03)
    Change: Fri Mar  3 15:31:42 2000(00005.19:24:21)
    liane:[wmhack]> cc wmexp.c
    liane:[wmhack]> ./a.out
    You can also add an offset to the command-line. 40 worked for me on the console.
    Get the real deal at http://www.cs.uni-potsdam.de/homepages/students/linuxer
    Respect other users privacy!
    wmcdplay : Tried to find artwork file, but failed.
    Segmentation fault
    liane:[wmhack]> ./a.out 40
    Get the real deal at http://www.cs.uni-potsdam.de/homepages/students/linuxer
    Respect other users privacy!
    wmcdplay : Tried to find artwork file, but failed.
    Illegal instruction
    liane:[wmhack]> ./a.out 140
    Get the real deal at http://www.cs.uni-potsdam.de/homepages/students/linuxer
    Respect other users privacy!
    wmcdplay : Tried to find artwork file, but failed.
    sh-2.03# id -a
    uid=0(root) gid=501(bletchley) groups=501(bletchley)
    sh-2.03#

Impact
===================

    Through exploitation of the buffer overflow within wmcdplay a local user
    can elevate his privileges to the superuser level. Once this is archived
    the attacker has complete access to the system, allowing compromitation
    of all data stored on it.


Explanation
===================

    Due to inaccurate bounds-checking a sprintf() call with commandline
    arguments, it can be used to overflow a stack-located buffer.
    By setting proper values and avoiding zero-bytes an attacker can execute
    arbitrary code.      


Solution
===================

    The author and the distributor has been informed before. A patch is already
    available. Short-timed just remove the suid-bit; it is not necessary.
     

Acknowledgments
================

    The bug-discovery and the demonstration programs are due to S. Krahmer [2].
    The shell-code is due to Stealth.

    This advisory has been written by scut and S. Krahmer.


Contact Information
===================

    The TESO crew can be reached by mailing to tesopub@coredump.cx.
    Our web page is at http://teso.scene.at/

    C-Skills developers may be reached through [2].


References
===================

    [1] TESO
        http://teso.scene.at/

    [2] S. Krahmer, C-Skills
        http://www.cs.uni-potsdam.de/homepages/students/linuxer/


Disclaimer
===================

    This advisory does not claim to be complete or to be usable for any
    purpose. Especially information on the vulnerable systems may be
    inaccurate or wrong. The supplied exploit is not to be used for malicious
    purposes, but for educational purposes only.

    This advisory is free for open distribution in unmodified form.
    Articles that are based on information from this advisory should include
    link [1] and [2].


Exploit
===================

    We've created a working demonstration program to exploit the vulnerability.

    The exploit is available from

       http://teso.scene.at/

    and
  
       http://www.cs.uni-potsdam.de/homepages/students/linuxer

- ------



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4yQ4QcZZ+BjKdwjcRAobJAJwO+vEtw5on/9obko1ozI7DywhbSwCgnG18
7aAhRDSSJr15f06W1Ei4b64=
=HrTR
-----END PGP SIGNATURE-----