COMMAND
xmonisdn
SYSTEMS AFFECTED
Debian GNU/Linux 2.1, RedHat 6.0
PROBLEM
Following is based on Debian advisory. They had received reports
that the version of xmonisdn as distributed in the isndutils
package from Debian GNU/Linux 2.1 has a security problem.
Xmonisdn is an X applet that shows the status of the ISDN links.
You can configure it to run two scripts when the left or right
mouse button are clicked on it. Xmonisdn was installed setuid
root so that the scripts could do things like add and delete the
default route. However is that while the scripts were checked
for owner root and not writeable by group or others the scripts
are run via the system() library function, which spawns a shell
to run it. This means that the scripts are open to attack via
IFS and/or PATH manipulation.
However, the setuid root isn't necessary anymore as the ISDN
system now offers other ways of preventing dialouts besides by
manipulating network routes. This can be done by anyone who can
access /dev/isdnctrl0 and /dev/isdninfo. On debian systems those
are rw for group dialout, so if xmonisdn is run by someone in
group dialout, they can execute the necessary isdnctrl commands.
Note that other Linux distributions may be affected as well.
The makefile that comes with the (rather outdated) isdn4kutils
betas and that was in the isdn4linux CVS tree installed xmonisdn
setuid root, too (until Paul Slootman committed a fix at the
beginning of August).
Ron van Daal added following (tested on my workstation, which is
running Red Hat Linux 6.0):
[syntonix@damien bin]# pwd; ls -al xmonisdn
/usr/bin
-rwsr-xr-x 1 root root 13528 Mar 4 1998 xmonisdn
[syntonix@damien bin]# xmonisdn -file /etc/shadow
Warning: Cannot convert string "netactive" to type Pixmap
Warning: Cannot convert string "netactiveout" to type Pixmap
Warning: Cannot convert string "netwaiting" to type Pixmap
Warning: Cannot convert string "netinactive" to type Pixmap
Warning: Cannot convert string "netstart" to type Pixmap
Warning: Cannot convert string "netstop" to type Pixmap
[1]+ Stopped xmonisdn -file /etc/shadow
[syntonix@damien bin]# bg
[1]+ xmonisdn -file /etc/shadow &
[syntonix@damien bin]# killall -8 xmonisdn
[1]+ Floating point exception(core dumped) xmonisdn -file /etc/shadow
[syntonix@damien bin]# strings core|less
<snip>
/lib/ld-linux.so.2
root:$1$Fijz9O0n$ku/VSK.h6cbTV5oueAAwz/:10883:0:99999:7:-1:-1:134538500
bin:*:10878:0:99999:7:::
daemon:*:10878:0:99999:7:::
adm:*:10878:0:99999:7:::
lp:*:10878:0:99999:7:::
sync:*:10878:0:99999:7:::
shutdown:*:10878:0:99999:7:::
halt:*:10878:0:99999:7:::
mail:*:10878:0:99999:7:::
news:*:10878:0:99999:7:::
uucp:*:10878:0:99999:7:::
operator:*:10878:0:99999:7:::
games:*:10878:0:99999:7:::
gopher:*:10878:0:99999:7:::
ftp:*:10878:0:99999:7:::
nobody:*:10878:0:99999:7:::
xfs:!!:10878:0:99999:7:::
ronvdaal:$1$Dc92cqLj$V/HSANaVuwCMxGjFfZC/T0:10883:0:99999:7:-1:-1:134538492
syntonix:$1$h3yIM.h/$JjBLYPvb4Zcjv1tb.21Uw/:10883:0:99999:7:-1:-1:134538484
<snip>
Not sure why, but it was said Ron executed those commands as root,
which, on his system, allowed him to make the suid xmonisdn dump
core. xmonisdn won't dump core unless you are running it as root.
This isn't a security hole unless it were to dump core in a world
readable mode. Or in a directory writable by others, in which
case files could get trashed.
SOLUTION
This version of Debian was released only for Intel, the Motorola
680x0, the alpha and the Sun sparc architecture.
Source archives:
http://security.debian.org/dists/stable/updates/source/isdnutils_3.0-12slink13.diff.gz
http://security.debian.org/dists/stable/updates/source/isdnutils_3.0-12slink13.dsc
http://security.debian.org/dists/stable/updates/source/isdnutils_3.0.orig.tar.gz
Alpha architecture:
http://security.debian.org/dists/stable/updates/binary-alpha/isdnutils_3.0-12slink13_alpha.deb
Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/binary-i386/isdnutils_3.0-12slink13_i386.deb
Sun Sparc architecture:
http://security.debian.org/dists/stable/updates/binary-sparc/isdnutils_3.0-12slink13_sparc.deb