Sus 2.0.2 Local Root Vulnerability

Full Version: Sus 2.0.2 Local Root Vulnerability

GovernmentSecurity.org > The Archives > Exploit Articles

qcred11

Sep 15 2004, 07:21 PM

QUOTE

---

Title : SUS 2.0.2 local root vulnerability
Advisory ID : LSS#2004-09-01
Date : September 14th, 2004
Advisory URL: : http://security.lss.hr/index.php?page=deta...=LSS-2004-09-01
Impact : Any user can obtain root privileges
Risk level : High
Vulnerability type : Local
Vendors contacted : GENTOO Linux and Peter D. Gray (SUS author), Contact date: September 13th, 2004

---

==[ Overview

SUS is a suid root program that allows ordinary users the execution of certain
programs with superuser privileges. SUS relatives are super, sudo and calife. SUS is
run by default as setuid root.

==[ Vulnerability

There is a very simple format string bug in log() function that allows any local
user to gain root privileges. Format string vulnerability is a result of an incorrect
syslog() function call, and can be exploited directly from the command line.

log.c:
--------

void
log(char * msg)

...
openlog(ident, LOG_PID|LOG_CONS, facility);
syslog(level,msg); // <- VULNERABILITY
...

--------

==[ Affected versions

The exploitation of this vulnerability was successfully tested on SUS version 2.0.2.

==[ Fix

GENTOO Linux has released a patched version - sus-2.0.2-r1.

There is also a fixed version on sus homepage:
http://pdg.uow.edu.au/sus/sus-2.0.6.tar.Z

==[ PoC Exploit

Proof of concept code can be downloaded at http://security.lss.hr/PoC/.

==[ Credits

This vulnerability was found by Leon Juranic (ljuranic@LSS.hr).

Source: http://www.securitytracker.com/alerts/2004/Sep/1011273.html

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.