home *** CD-ROM | disk | FTP | other *** search
-
- /usr/Cadmin/bin/csetup is root/suid and buggy. It has a vulnerability that
- allows any local user to get root priviledges.
-
- FIX
-
- chmod u-s /usr/Cadmin/bin/csetup
-
- While I was freezing my ass off in Ames, IA, making frequent trips to video
- rental store, Jay was doing somethig less lame and found an interesting
- thing: if one does setenv DEBUG_CSETUP 1 and then runs csetup, it'll create
- a file /usr/tmp/csetupLog, owned by root. Sure enough, it follows symlinks,
- follows umask if file is nonexistant, overwrites existing file keeping
- original permissions. csetup will display a dialog window on startup,
- asking for root password. However, one can press Cancel and it will proceed
- in "read-only" mode. Perhaps it was considered to be enough protection, so
- it doesn't bother dropping root priviledges.
-
- The log file looks like
-
- Remote Host: xxx Address : xxx.xxx.xxx.xxx
- Set Initial Timeout (objectserver) : 1
- Get Lego objects Info
- Finished Loading objects info
- Networking Panel initialization complete!
-
- and there's no easy way to alter its contents, thus no easy way to exploit
- it. Yet another DoS attack, right? Well, so we thought. On an ideal OS,
- it probably is. But it's Irix. I felt it more than DoS. I didn't try too
- hard to find it, though, and the other day I was brushing my teeth and it
- came by itself. Log file contains nice text, not just some binary crap. So
- from the OS view point it's a shell script. sh will be invoked to execute
- it, and it'll try to execute command called "Remote". So we can overwrite
- some system binary and make some program running as root execute it. But
- one has to have control over PATH for it to be profitable. That's where
- Irix helps us. Some may remember an old advisory about sgihelp, it was
- recommended that people _remove sgihelp_ till patch is installed, pretty
- amazing, huh? That's because all those GUI tools that run as root invoke
- sgihelp without bothering to change uid first. Old sgihelp didn't care if
- uid/euid=0, you can imagine what this means. New one does drop root very
- early, but it doesn't solve the real problem: many GUI tools calling
- external program while euid=0, which is totally unnecessary. Sure, it's
- easier to fix one program than a whole bunch of them, I'm very lazy myself
- so I can understand, but there's a price. One doesn't need to go far to
- find an example, csetup itself does it. So, do setenv DEBUG_CETUP 1,
- symlink /usr/tmp/casetupLog to /usr/sbin/sgihelp, put infamous makesh called
- "Remote" first in your PATH, run csetup. At this point sgihelp is nuked.
- Now click on Help button, and enjoy. Remember to make a copy of real
- sgihelp first.
-
- Can somebody tell me, what is the point of making a program suid if it only
- runs when you know root password? /usr/Cadmin/bin is full of such programs.
- They ask for root password on startup, and most of them only proceed if
- valid password is entered. Why is it considered to be easier than su +
- running non-suid program? It allows one to do system administration
- clicking on nice icons and toolboxes, right. But it's sure more dangerous,
- Besides, all these programs require this stupid objectserver thing to hog
- your memory (I don't run it, that's why I didn't look in /usr/Cadmin/bin
- myself). You will feel better if you do this:
-
- chmod u-s /usr/Cadmin/bin/*
- chkconfig objectserver off
- killall objectserver
-
- Some program might miss objectserver, mediad will complain on boot, for
- example, but it doesn't break anything really, only these GUI admin tools.
-
