.comment-link {margin-left:.6em;}
Xavier's Security Post
Friday, September 23, 2005
  case in point #1
from time to time I'll throw up these "case in point" posts to talk a bit about holes that I've found in the current day. I'll leave the product names out, but it'll be an interesting read nonetheless.

so today I was doing a quick audit on an internal development box. it was once used for some extreme usage, but faded away into the network's obscure hidden world as soon as another solution jumped in the spotlight. in any case, the box was given to me to play with and try funky things.

before doing anything serious, I wanted to see how secure it was locally. it turns out there was a coorperate anti-virus product installed for scanning of incoming email. unfortunately it is coupled with some lame web interface that can be used by the administrator to do things from rebooting the box via web, or edit templates.

I noticed something odd though -- many of the scripts were executed via C-written and compiled suid wrappers. and their primary purpose is just to execute specific perl scripts. fine, we see (or saw) those kind of setups all the time -- it was no big deal. so I inspected the perl scripts to find they all shared a common line of code:

require "./filefullof.functions"

ERROR!

thus here lies a very serious security hole. the coorperate software in question bundles a bunch of unnessesary perl scripts. then, these scripts are bundled with suid wrappers to assist them during executions. and finally, the perl scripts themselves call functions from another script improperly -- calling from a file in the current directory and not from an absolute one.

mhm. that's bad. in fact, one softlink later and rogue "./filefullof.functions" created -- you've just taken over an inheritance of suid.

advisory+exploit coming soon to a terminal near you!
 
Comments: Post a Comment

Links to this post:

Create a Link



<< Home
This public blog will be a place for me to output any Security findings, both technological and physical, that I have come about. I will post Security advisories I was apart of, and also other interesting bits of knowledge. email: xavier [at] tigerteam.se

RECENT RELEASES
Rocks Clusters <=4.1 mount-loop local root
Rocks Clusters <=4.1 umount-loop local root
TSEAD-200606-6 - Rocks Clusters <=4.1 local root
xorgmodroot.py - Xorg-server 1.0 / <=X11R6.9.0-7.0 local root
TSEAD-200509-5 - Multiple Netscape.com vulnerabilities.
TSEAD-200512-3 - Multiple vulnerabilities in KISBG <=v5.1.1
fsigk_exp.py - FSIGK for Linux <=2.10-431 local root
TSEAD-200510-4 - FSIGK for Linux <=2.10-431 advisory
ritk.php - remote inclusion pentest tool
owm_exp.py - openwebmail <=2.51+ local root
perliodebug_exp.py - perlIO_debug 5.8.* local root
bankfix.py - bank card number lookup tool
TSEAD-200412-2 - AOL XSS/file read vuln
TSEAD-200412-1 - AOL redir vuln

ARCHIVES
September 2005 / October 2005 / November 2005 / December 2005 / March 2006 / April 2006 / May 2006 / June 2006 / July 2006 / September 2006 / October 2006 /