[Secure-testing-team] Bug#699625: unix socket privilege escalation

Sang Kil Cha sangkil.cha at gmail.com
Sat Feb 2 14:23:57 UTC 2013 

Package: latd
Version: 1.30
Severity: critical
Tags: security



-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages latd depends on:
ii  libc6        2.13-37
ii  libgcc1      1:4.7.2-5
ii  liblockdev1  1.0.3-1.5
ii  libstdc++6   4.7.2-5

latd recommends no packages.

latd suggests no packages.

-- no debconf information




latd has a buffer overflow vulnerability @ llogincircuit.cc

    case LATCP_VERSION:
        if (strcmp(VERSION, (char*)cmdbuf) == 0)
        {
            state = RUNNING; // Versions match
            send_reply(LATCP_VERSION, VERSION, -1);
        }
        else
        {
            char error[1024];
            debuglog(("Connect from invalid llogin version %s\n", cmdbuf));
            sprintf(error, "llogin version %s does not match latd version " VERSION, cmdbuf); //***** overflow here


This vulnerability can trigger arbitrary code execution for an unprivileged
user. I am attaching an example payload that crashes latd daemon.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: payload.c
Type: text/x-c
Size: 3182 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20130202/d8fb5e6a/attachment.bin>

More information about the Secure-testing-team mailing list