TESO Security Advisory - A vulnerability within the wmcdplay CD playing application for the WindowMaker desktop has been discovered. It allows local root compromise through arbitrary code execution.Any system which has wmcdplay installed as setuid root is vulnerable.
8d5071c1366d929bea61249f0900db3205b2b45ad04b4e9179fa21f235aaefe6
- ------
TESO Security Advisory
03/09/2000
wmcdplay local root compromise
Summary
===================
A vulnerability within the wmcdplay CD playing application for the
WindowMaker desktop has been discovered. It allows local root compromise
through arbitrary code execution.
Systems Affected
===================
Any system which has wmcdplay installed as setuid root. Though on most
popular system distributions wmcdplay is not installed by default, the
optional installation of it is always setuid root, hence affected by the
problem.
Please note that wmcdplay doesn't require WindowMaker as its desktop,
so even if you haven't installed WindowMaker you may be vulnerable.
Among the vulnerable distributions (if the package is installed) are the
following systems:
Debian/GNU Linux 2.1, wmcdplay 1.0beta1-2
Halloween Linux Version 4
Tests
===================
liane:[bletchley]> id -a
uid=501(bletchley) gid=501(bletchley) groups=501(bletchley)
liane:[bletchley]> cd wmhack/
liane:[wmhack]> uname -a
Linux liane.c-skills.de 2.2.13-13 #21 Thu Mar 2 10:36:13 WET 2000 i686 unknown
liane:[wmhack]> stat `which wmcdplay`
File: "/usr/X11R6/bin/wmcdplay"
Size: 38372 Filetype: Regular File
Mode: (4755/-rwsr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Device: 3,1 Inode: 213954 Links: 1
Access: Sat Mar 4 14:21:43 2000(00004.20:34:20)
Modify: Thu Nov 11 09:59:00 1999(00119.00:57:03)
Change: Fri Mar 3 15:31:42 2000(00005.19:24:21)
liane:[wmhack]> cc wmexp.c
liane:[wmhack]> ./a.out
You can also add an offset to the command-line. 40 worked for me on the console.
Get the real deal at http://www.cs.uni-potsdam.de/homepages/students/linuxer
Respect other users privacy!
wmcdplay : Tried to find artwork file, but failed.
Segmentation fault
liane:[wmhack]> ./a.out 40
Get the real deal at http://www.cs.uni-potsdam.de/homepages/students/linuxer
Respect other users privacy!
wmcdplay : Tried to find artwork file, but failed.
Illegal instruction
liane:[wmhack]> ./a.out 140
Get the real deal at http://www.cs.uni-potsdam.de/homepages/students/linuxer
Respect other users privacy!
wmcdplay : Tried to find artwork file, but failed.
sh-2.03# id -a
uid=0(root) gid=501(bletchley) groups=501(bletchley)
sh-2.03#
Impact
===================
Through exploitation of the buffer overflow within wmcdplay a local user
can elevate his privileges to the superuser level. Once this is archived
the attacker has complete access to the system, allowing compromitation
of all data stored on it.
Explanation
===================
Due to inaccurate bounds-checking a sprintf() call with commandline
arguments, it can be used to overflow a stack-located buffer.
By setting proper values and avoiding zero-bytes an attacker can execute
arbitrary code.
Solution
===================
The author and the distributor has been informed before. A patch is already
available. Short-timed just remove the suid-bit; it is not necessary.
Acknowledgments
================
The bug-discovery and the demonstration programs are due to S. Krahmer [2].
The shell-code is due to Stealth.
This advisory has been written by scut and S. Krahmer.
Contact Information
===================
The TESO crew can be reached by mailing to tesopub@coredump.cx.
Our web page is at http://teso.scene.at/
C-Skills developers may be reached through [2].
References
===================
[1] TESO
http://teso.scene.at/
[2] S. Krahmer, C-Skills
http://www.cs.uni-potsdam.de/homepages/students/linuxer/
Disclaimer
===================
This advisory does not claim to be complete or to be usable for any
purpose. Especially information on the vulnerable systems may be
inaccurate or wrong. The supplied exploit is not to be used for malicious
purposes, but for educational purposes only.
This advisory is free for open distribution in unmodified form.
Articles that are based on information from this advisory should include
link [1] and [2].
Exploit
===================
We've created a working demonstration program to exploit the vulnerability.
The exploit is available from
http://teso.scene.at/
and
http://www.cs.uni-potsdam.de/homepages/students/linuxer
- ------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE4yQ4QcZZ+BjKdwjcRAobJAJwO+vEtw5on/9obko1ozI7DywhbSwCgnG18
7aAhRDSSJr15f06W1Ei4b64=
=HrTR
-----END PGP SIGNATURE-----