Twenty Year Anniversary

s3dvt Privilege Escalation

s3dvt Privilege Escalation
Posted Jun 2, 2014
Authored by Hector Marco, Ismael Ripoll

s3dvt suffers from a local privilege escalation vulnerability due to a lack of checking the setuid() return code.

tags | advisory, local
advisories | CVE-2013-6876
MD5 | 5223f59a5afab714e8ed88beb17f8a7a

s3dvt Privilege Escalation

Change Mirror Download
CVE-2014-1226 - s3dvt - root shell
Authors: Hector Marco & Ismael Ripoll
CVE: CVE-2014-1226
BUG: Lack of checking setuid() return code
Dates: 25 March 2014 - Public disclosure


Description

The s3dvt developers forgot to review all the code. There is still a vulnerable function as in the previous CVE-2013-6876 - s3dvt_0.2.2 root shell vulnerability.

The bug as previous one is caused by not checking the return values of setuid() and getuid() calls. The process must not continue its normal execution when any of these calls fail (return an error) to drop privileges.

Impact

The drop privileges in s3dvt has the purpose to prevent to execute the bash with root privileges. In the cases where the application is installed with set bit setuid a non-privileged user could obtain a root shell.

Because the bash setuid() bug this bug can be exploited successfully. See discussion section.
Vulnerable packages

s3dvt package 0.2.2 is vulnerable. From the first commit on January 2006 to the current 0.2.2 (released May 2011) are also affected. At the date of July 1, 2014 the last commit of the s3dvt (1e9c9c53fa192cbf4f79d724b5e6c76374516968) version is still vulnerable and exploitable.
The bug

The bug is still present because during the discussion with the authors we always were referring to a concrete function for simplicity but the application had two vulnerable functions with the bug. They decide stop reply ours emails and only fix one function. See discussion.

The bug appears because the return value of the setuid() call is not checked. When the setuid() fails, the application continue executing (does not terminate) and the following code is executed with the original privileges. In this case it is possible to obtain a root shell.

The bug appears in apps/s3dvt/main.c file, on lines 231 and 232:

static int pipe_init_terminal(void)
{
int uid = 0, gid = 0;
const char *exe = "/bin/bash";
const char *args = "-i";
...
uid = getuid();
gid = getgid();
pid = fork();
if (pid == 0) { /* the child */
char tmpstr[1024];
setuid(uid);
setgid(gid);
...
execl(exe, exe, args, NULL);
...
}
}



Exploit

The strategy to exploit this kind of bugs consists in creating as many processes as the target user is allowed to make (which is given by RLIMIT_NPROC), and then the next attempt to drop privileges will fail, letting the process alive and with the original privileges.
FIX
We have created a non official patch for s3dvt 0.2.2:

diff --git apps/s3dvt/main.c apps/s3dvt/main.c
index 0842e22..9fd6d8e 100644
--- apps/s3dvt/main.c
+++ apps/s3dvt/main.c
@@ -228,8 +230,10 @@ static int pipe_init_terminal(void)
pid = fork();
if (pid == 0) { /* the child */
char tmpstr[1024];
- setuid(uid);
- setgid(gid);
+ if ( (setuid(getuid()) != 0) || (setgid(getgid()) != 0) ){
+ printf(stderr, "Failed to drop privileges\n");
+ exit(-1);
+ }
if (setsid() < 0)
printf("ERROR (setsid)\n");
/* tcflush(curpty, TCIOFLUSH); */



[ s3dvt-fix-setuid-pipe-terminal.patch ]

Patching s3dvt-0.2.2:

wget http://hmarco.org/bugs/patches/s3dvt-fix-setuid-pipe-terminal.patch
cd s3dvt-0.2.2
patch -p0 < ../s3dvt-fix-setuid-pipe-terminal.patch



Discussion

This bug can be exploited because the there is a similar bug in the code of the bash. And so, an attacker can bypass/exploit both bugs to raise privileges.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

April 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    5 Files
  • 2
    Apr 2nd
    17 Files
  • 3
    Apr 3rd
    11 Files
  • 4
    Apr 4th
    21 Files
  • 5
    Apr 5th
    17 Files
  • 6
    Apr 6th
    12 Files
  • 7
    Apr 7th
    1 Files
  • 8
    Apr 8th
    6 Files
  • 9
    Apr 9th
    21 Files
  • 10
    Apr 10th
    18 Files
  • 11
    Apr 11th
    42 Files
  • 12
    Apr 12th
    7 Files
  • 13
    Apr 13th
    14 Files
  • 14
    Apr 14th
    1 Files
  • 15
    Apr 15th
    1 Files
  • 16
    Apr 16th
    15 Files
  • 17
    Apr 17th
    20 Files
  • 18
    Apr 18th
    24 Files
  • 19
    Apr 19th
    20 Files
  • 20
    Apr 20th
    7 Files
  • 21
    Apr 21st
    10 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close