COMMAND

    atsadc

SYSTEMS AFFECTED

    Linux

PROBLEM

    Following  is  based  on   TESO  Security  Advisory.   The   atsar
    application contains an exploitable vulnerability.  The  Halloween
    4 Linux  distribution, which  is based  on RedHat  6.1 is  shipped
    with this suid-root program.   It might be used to  gain superuser
    privileges.

    Affected are Halloween 4 Linux distribution, maybe others too; any
    system that has atsar-linux-1.4.2 package installed.

    Tests:

        liane:[bletchley]> id -a
        uid=501(bletchley) gid=501(bletchley) groups=501(bletchley)
        liane:[bletchley]> uname -a
        Linux liane.c-skills.de 2.2.13-13 #21 Thu Mar 2 10:36:13 WET 2000 i686 unknown
        liane:[bletchley]> stat `which atsadc`
          File: "/usr/sbin/atsadc"
          Size: 16000        Filetype: Regular File
          Mode: (4755/-rwsr-xr-x)         Uid: (    0/    root)  Gid: (    0/    root)
        Device:  3,1   Inode: 117038    Links: 1
        Access: Thu Mar  9 10:09:37 2000(00000.01:02:49)
        Modify: Tue Nov  9 23:57:50 1999(00120.11:14:36)
        Change: Tue Mar  7 14:55:23 2000(00001.20:17:03)
        liane:[bletchley]> cd atsar-hack/
        liane:[atsar-hack]> ./ass.pl
        Creating hijack-lib ...
        Compiling hijack-lib ...
        Compile shell ...
        Invoking vulnerable program (atsadc)...
        sh: error in loading shared libraries:
        sh: error in loading shared libraries:
        Welcome. But as always: BEHAVE!
        sh-2.03# id -a
        uid=0(root) gid=0(root) groups=501(bletchley)
        sh-2.03#

    TESO created  a full  working root-exploit  which can  be obtained
    from:

        http://www.cs.uni-potsdam.de/homepages/students/linuxer/
        http://teso.scene.at

    To work properly the /etc/ld.so.preload  file must not exist.   If
    it already  exist, attackers  may use  other config-files  to gain
    root access.  As the vulnerable program 'atsadc' is shipped on the
    power-tools/contrib CD  and comes  per default  suid root (package
    "atsar-linux").   Attackers might  use this  program with  obscure
    command-line-options to gain locally root-access.

    Atsadc doesn't properly check permissions of the output-file given
    on the command-line.  Rather it opens the file without the  O_EXCL
    flag, allowing an attacker to  overwrite any file he wishes.   Due
    to the nice  mode of 0664  an attacker may  even create new  files
    where he has write-access too  (group -rw).   In  interaction with
    other linux 'system-tools' he can gain root-access.

SOLUTION

    Remove the suid-bit.  The vendor and the author has been  informed
    before, so a patch is already available.