Making sweeping statements about the security of a particular program can come back to haunt you rather quickly as the recent case of a local root exploit in cdrecord demonstrates. During a discussion of recent changes in the 2.6 Linux kernel (as covered by LWN), Jörg Schilling, the author of cdrecord, made a comment about the security of that program:
That statement could well be true, but in making it, Jörg may have inspired someone to take a closer look at cdrecord. Max Vozeler recently found that cdrecord fails to drop privileges when it executes an external program, and that users can specify which external program is run via the RSH environment variable. If cdrecord is installed setuid root, any local user can exploit this vulnerability to gain root access; multiple exploits have already been posted on bugtraq.
Jörg recommends installing cdrecord as a setuid root. cdrecord uses the elevated privileges to lock its buffers into physical memory and to request real-time scheduling, both of which reduce the chances of a buffer underrun. In addition, cdrecord opens the SCSI device before dropping privileges back to that of the user who executed it. In the case of a remote device, it executes the command to access that device, but prior to this bug being fixed, it did that with elevated privileges.
Other means for allowing non-root users to burn CDs do exist, but they are less secure, according to Jörg:
Another alternative, which is used by some distribution vendors (notably Red Hat and SuSE), is to disallow non-root users from burning CDs; clearly this is the most secure choice, but can be inconvenient for users and system administrators. Many administrators and some CD burning front end programs override this choice and, in this case, that could lead to a large security hole that may not be patched by the distribution. To avoid this possibility, some distributions have issued cdrecord updates even though they do not install the program in a setuid mode; see the LWN vulnerability entry for the current list.
Jörg has fixed this bug in the most recent version of his cdrtools package (2.01a38, available from his cdrecord page).this list of fixed vulnerabilities for several good reasons to upgrade.
|Package(s):||httpd apache2||CVE #(s):||CAN-2004-0747 CAN-2004-0751 CAN-2004-0786 CAN-2004-0809|
|Created:||September 15, 2004||Updated:||October 6, 2004|
|Description:||Apache2 contains an integer error in the apr_uri_parse() function when handling IPv6 addresses. The result is a code execution vulnerability on BSD systems, and a denial of service vulnerability under Linux.|
|Package(s):||cups cupsys||CVE #(s):||CAN-2004-0558|
|Created:||September 15, 2004||Updated:||October 14, 2004|
|Description:||Versions of cups prior to 1.1.21 contain a denial of service vulnerability in their IPP implementation. A malicious UDP packet can cause cups to stop listening to the IPP port.|
|Package(s):||gdk-pixbuf gtk2||CVE #(s):||CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788|
|Created:||September 15, 2004||Updated:||February 25, 2005|
|Description:||The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks.|
|Created:||September 15, 2004||Updated:||October 20, 2004|
|Description:||OpenOffice.org contains a temporary file handling vulnerability which can allow one local user to read the contents of another user's open files.|
|Package(s):||samba||CVE #(s):||CAN-2004-0807 CAN-2004-0808|
|Created:||September 13, 2004||Updated:||September 22, 2004|
|Description:||There is a defect in smbd's ASN.1 parsing. A bad packet received during the authentication request could throw newly-spawned smbd processes into an infinite loop (CAN-2004-0807). Another defect was found in nmbd's processing of mailslot packets, where a bad NetBIOS request could crash the nmbd process (CAN-2004-0808). See this advisory for details.|
|Created:||September 14, 2004||Updated:||September 15, 2004|
|Description:||SUS is a suid root program that allows ordinary users the execution of certain programs with superuser privileges. SUS is run by default as setuid root. A simple format string bug in the log() function allows any local user to gain root privileges. See this BugTraq advisory for more information.|
|Package(s):||webmin usermin||CVE #(s):||CAN-2004-0559|
|Created:||September 13, 2004||Updated:||September 23, 2004|
|Description:||There is an input validation bug in the webmail feature of Usermin.
Additionally, the Webmin and Usermin installation scripts write to
/tmp/.webmin without properly checking if it exists first.
The first vulnerability allows a remote attacker to inject arbitrary shell code in a specially-crafted e-mail. This could lead to remote code execution with the privileges of the user running Webmin or Usermin.
The second could allow local users who know Webmin or Usermin is going to be installed to have arbitrary files be overwritten by creating a symlink by the name /tmp/.webmin that points to some target file, e.g. /etc/passwd.
ResourcesThe techniques described by the researchers are likely to have other applications, and we'll be better able to design secure systems as a result. This is how the science of cryptography advances: we learn how to design new algorithms by breaking other algorithms. Additionally, algorithms from the NSA are considered a sort of alien technology: they come from a superior race with no explanations. Any successful cryptanalysis against an NSA algorithm is an interesting data point in the eternal question of how good they really are in there."
Page editor: Jonathan Corbet
Next page: Kernel development>>
Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds