SUS Format String Flaw Lets Local Users Execute Code With Root Privileges
|
|
SecurityTracker Alert ID: 1011273
|
|
SecurityTracker URL: http://securitytracker.com/id?1011273
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Sep 15 2004
|
Impact: Execution of arbitrary code via local system, Root access via local system
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 2.0.2
|
Description: A format string vulnerability was reported in SUS. A local user can obtain root privileges.
LSS Security reported that a local user can supply specially crafted command line parameters to trigger the format string vulnerability
and execute arbitrary code with root privileges. The flaw is due to an incorrect syslog() call in the log() function in 'log.c'.
Leon
Juranic is credited with discovering this flaw.
The vendor was notified on September 13, 2004.
A demonstration exploit is
available at:
http://security.lss.hr/PoC/index.php?p=adv&ID=LSS-2004-09-01.html
The original advisory is available at:
http://security.lss.hr/index.php?page=deta
ils&ID=LSS-2004-09-01
|
Impact: A local user can obtain root privileges.
|
Solution: The vendor has released a fixed version (2.0.6), available at:
http://pdg.uow.edu.au/sus/sus-2.0.6.tar.Z
|
Vendor URL: pdg.uow.edu.au/sus/ (Links to External Site)
|
Cause: Input validation error, State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: LSS Security <exposed@lss.hr>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 14 Sep 2004 15:56:10 +0200
From: LSS Security <exposed@lss.hr>
Subject: SUS 2.0.2 local root vulnerability
|
LSS Security Advisories
http://security.lss.hr
---
Title : SUS 2.0.2 local root vulnerability
Advisory ID : LSS#2004-09-01
Date : September 14th, 2004
Advisory URL: : http://security.lss.hr/index.php?page=details&ID=LSS-2004-09-01
Impact : Any user can obtain root privileges
Risk level : High
Vulnerability type : Local
Vendors contacted : GENTOO Linux and Peter D. Gray (SUS author), Contact date: September 13th, 2004
---
==[ Overview
SUS is a suid root program that allows ordinary users the execution of certain
programs with superuser privileges. SUS relatives are super, sudo and calife. SUS is
run by default as setuid root.
==[ Vulnerability
There is a very simple format string bug in log() function that allows any local
user to gain root privileges. Format string vulnerability is a result of an incorrect
syslog() function call, and can be exploited directly from the command line.
log.c:
--------
void
log(char * msg)
...
openlog(ident, LOG_PID|LOG_CONS, facility);
syslog(level,msg); // <- VULNERABILITY
...
--------
==[ Affected versions
The exploitation of this vulnerability was successfully tested on SUS version 2.0.2.
==[ Fix
GENTOO Linux has released a patched version - sus-2.0.2-r1.
There is also a fixed version on sus homepage:
http://pdg.uow.edu.au/sus/sus-2.0.6.tar.Z
==[ PoC Exploit
Proof of concept code can be downloaded at http://security.lss.hr/PoC/.
==[ Credits
This vulnerability was found by Leon Juranic (ljuranic@LSS.hr).
==[ LSS Security Contact
LSS Security Team, <eXposed by LSS>
WWW : http://security,lss.hr
E-mail : security@LSS.hr
Tel : +385 1 6129 775
|
|
