I. BACKGROUNDLinuxconf is a sophisticated administration system for the Linux operating system. More information about it is available at
http://www.solucorp.qc.ca/linuxconf/.
II. DESCRIPTION
If the LINUXCONF_LANG environment variable processes at least 964 bytes of data, a buffer overflow occurs, thereby allowing an attacker to modify the return address of the function and execute arbitrary code with root permissions. iDEFENSE has exploit code that allows a local user to launch a root shell on Red Hat Linux 7.3 by targeting linuxconf
1.28r3.
III. ANALYSISAccording to Jacques Gelinas, author of linuxconf:
"Linuxconf picks the variable and uses it to format a path using snprintf. This works fine. In fact, the receiving buffer is PATH_MAX large so even a 1000 characters variable will not overflow it and even if this were the case, snprintf would do its work. Once the path is formatted, the corresponding file is opened. If the file does not exist, an error message is formatted in a string. This was the problem and sprintf was used instead of snprintf there. There are two fixes. One is to use snprintf to format error message at this place and the other is to look for appropriate length for this variable (max 5 characters)
immediately when it is found."
IV. DETECTIONThis vulnerability affects any version of linuxconf (essentially 6 years worth of distributions) that is installed setuid root. Generally, the four ways in which this utility can be installed setuid are:
1. Shipped by vendor (Red Hat does not ship linuxconf setuid, but Mandrake does as do other Linux vendors)
2. Installed by RPM from the main site (
http://www.solucorp.qc.ca/linuxconf/) for each particular Linux OS (installs setuid root by default)
3. Installed by source code also from main site(
http://www.solucorp.qc.ca/linuxconf/) but prompts for whether
to install setuid root
4. Installed in ways 1, 2, or 3, and manually set to setuid root by the user for added functionality.
V. WORKAROUNDRemove the setuid bit from the linuxconf binary using the following command:
$ chmod u-s /bin/linuxconf
VI. VENDOR FIX/RESPONSEiDEFENSE immediately contacted Jacques Gelinas at
jack@solucorp.qc.ca. He provided a source code patch. iDEFENSE verified that the vulnerability is mitigated in linuxconf 1.28r4. This version should be available as of August 28, 2002, at
http://www.solucorp.qc.ca/linuxconf/download.hc.
VII. CVE INFORMATIONThe Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has not assigned an identification number to this issue.
VIII. DISCLOSURE TIMELINE
| 8/9/02 |
Issue disclosed to iDEFENSE |
| 8/19/02 |
Issue disclosed to vendor |
| 8/19/02 |
Issue disclosed to iDEFENSE clients |
| 8/21/02 |
Announcement made to vendor-sec@lst.de |
| 8/28/02 |
Coordinated public disclosure by iDEFENSE, Linux vendors and Linuxconf maintainer |
IX. CREDITEuan Briggs (euan_briggs@btinternet.com) is credited with discovering this bug.
