LSS Security Advisories http://security.lss.hr --- Title : SUS 2.0.2 local root vulnerability Advisory ID : LSS#2004-09-01 Date : September 14th, 2004 Advisory URL: : http://security.lss.hr/index.php?page=details&ID=LSS-2004-09-01 Impact : Any user can obtain root privileges Risk level : High Vulnerability type : Local Vendors contacted : GENTOO Linux and Peter D. Gray (SUS author), Contact date: September 13th, 2004 --- ==[ Overview SUS is a suid root program that allows ordinary users the execution of certain programs with superuser privileges. SUS relatives are super, sudo and calife. SUS is run by default as setuid root. ==[ Vulnerability There is a very simple format string bug in log() function that allows any local user to gain root privileges. Format string vulnerability is a result of an incorrect syslog() function call, and can be exploited directly from the command line. log.c: -------- void log(char * msg) { ... openlog(ident, LOG_PID|LOG_CONS, facility); syslog(level,msg); // <- VULNERABILITY ... } -------- ==[ Affected versions The exploitation of this vulnerability was successfully tested on SUS version 2.0.2. ==[ Fix GENTOO Linux has released a patched version - sus-2.0.2-r1. There is also a fixed version on sus homepage: http://pdg.uow.edu.au/sus/sus-2.0.6.tar.Z ==[ PoC Exploit Proof of concept code can be downloaded at http://security.lss.hr/PoC/. ==[ Credits This vulnerability was found by Leon Juranic (ljuranic@xxxxxx). ==[ LSS Security Contact LSS Security Team, <eXposed by LSS> WWW : http://security,lss.hr E-mail : security@xxxxxx Tel : +385 1 6129 775
