SUS 2.0.2 local root vulnerability
LSS Security Advisories
http://security.lss.hr
---
Title : SUS 2.0.2 local root vulnerability
Advisory ID : LSS#2004-09-01
Date : September 14th, 2004
Advisory URL: :
http://security.lss.hr/index.php?page=details&ID=LSS-2004-09-01
Impact : Any user can obtain root privileges
Risk level : High
Vulnerability type : Local
Vendors contacted : GENTOO Linux and Peter D. Gray (SUS author), Contact
date: September 13th, 2004
---
==[ Overview
SUS is a suid root program that allows ordinary users the execution of certain
programs with superuser privileges. SUS relatives are super, sudo and calife.
SUS is
run by default as setuid root.
==[ Vulnerability
There is a very simple format string bug in log() function that allows any local
user to gain root privileges. Format string vulnerability is a result of an
incorrect
syslog() function call, and can be exploited directly from the command line.
log.c:
--------
void
log(char * msg)
{
...
openlog(ident, LOG_PID|LOG_CONS, facility);
syslog(level,msg); // <-
VULNERABILITY
...
}
--------
==[ Affected versions
The exploitation of this vulnerability was successfully tested on SUS version
2.0.2.
==[ Fix
GENTOO Linux has released a patched version - sus-2.0.2-r1.
There is also a fixed version on sus homepage:
http://pdg.uow.edu.au/sus/sus-2.0.6.tar.Z
==[ PoC Exploit
Proof of concept code can be downloaded at http://security.lss.hr/PoC/.
==[ Credits
This vulnerability was found by Leon Juranic (ljuranic@xxxxxx).
==[ LSS Security Contact
LSS Security Team, <eXposed by LSS>
WWW : http://security,lss.hr
E-mail : security@xxxxxx
Tel : +385 1 6129 775