--[ Description ]-- There are several security-related Bugs in the distributed Debian (SID) Package of CDRDAO, a program to write audio or mixed mode CD-Rs in disk-at-once mode. /usr/bin/cdrdao is setuid-Root by default. --[ Version ]-- Name: Cdrdao Version: 1.1.5 Autor: Andreas Mueller <andreas@daneb.de> --[ Impact ]-- Local users can gain unauthorized root access to the system. --[ Legal ]-- The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. The Autor makes no warranties of any kind to the information contained in this security advisory. --[ Bugs ]-- Cdrdao doesnt check for permissions when it trys to open a file as its "toc-file". So it was possible to open all Files on the System, but it skips the Output on its Error-Message. Maybe it is possible to trick to read all these Files. As i tested around to trick i found another Bug. This more important Bug is that cdrdao can also write a configfile which is written to "$HOME/.cdrdao". it is written by the Root-User and not as the User who starts cdrdao. It is possible to include data on the written configfile and so it is possible to gain root via a symlink-attack on $HOME/.cdrdao After i found these Bugs i stopped to search for more Bugs. --[ Fix ]-- Not tried to fix. The Autor, the Debian Package Maintainer and the Debian Bugtracking System (#127930) where informed one week before this Post, but there was no response. --[ Tested on ]-- Debian GNU/Linux SID on i386, installed gcc and running cron --[ Credits ]-- Found and exploited by Jens "atomi" Steube. Greets go out to: impulse, symbiont, mot, para, sharkking, kartan and all other friend on #altoetting and #perl.de on ircnet. --[ Proof of concept exploit ]-- The attached exploit is designed for the Debian (SID) Package and not tested on other Systems. Regards, Jens Steube jsteube@lastflood.com
Attachment:
cdrdaohack.sh
Description: Binary data
