COMMAND

    kreatecd

SYSTEMS AFFECTED

    Any system which has kreatecd installed as set-UID root

PROBLEM

    Following is  based on  TESO Security  Advisory.   A vulnerability
    within the kreatecd application for Linux has been discovered.  An
    attacker can gain local root-access.

    This affects any  system which has  kreatecd installed as  set-UID
    root.   This  affects  also   a  configure;  make;  make   install
    procedure.  Among the vulnerable distributions (if the package  is
    installed) are the Halloween Linux Version 4 and SuSE 6.x.

    Tests:

        [stealth@liane stealth]$ stat `which kreatecd`
          File: "/usr/bin/kreatecd"
          Size: 229068       Filetype: Regular File
          Mode: (4755/-rwsr-xr-x)         Uid: (    0/    root)  Gid: (    0/    root)
        Device:  3,1   Inode: 360053    Links: 1
        Access: Tue Mar 14 14:48:21 2000(00000.00:00:45)
        Modify: Tue Mar 14 14:48:21 2000(00000.00:00:45)
        Change: Tue Mar 14 14:48:21 2000(00000.00:00:45)
        [stealth@liane stealth]$ id
        uid=500(stealth) gid=500(stealth) groups=500(stealth)
        [stealth@liane stealth]$ /tmp/kreatur
        (... some diagnostic messages ...)
        Creating suid-maker...
        Creating boom-shell...
        
        Execute kreatecd and follow the menus:
        Configure -> Paths  -- change the path for cdrecord to /tmp/xxx
        Apply -> OK
        Configure -> SCSI -> OK
        
        Execute /tmp/boomsh
        
        
        BEHAVE!
        
        (poking around with GUI...)
        [stealth@liane stealth]$ /tmp/boomsh
        [root@liane stealth]# id
        uid=0(root) gid=500(stealth) groups=500(stealth)
        [root@liane stealth]#

    An  attacker  may  gain  local  root-access  to  a  system   where
    vulnerable kreatecd  package is  installed. It  might be difficult
    for an  remote attacker  who gained  local user-access  due to the
    GUI-nature of the vulnerable program.

    Kreatecd which  runs with  the saved  user-id of  0 blindly trusts
    path's to cd-recording  software given by  unprivileged user.   It
    then invokes this software with EUID of 0 when user just clicks  a
    little bit around with the menus.

    The bug-discovery  and the  demonstration programs  are due  to S.
    Krahmer.  There's a  working demonstration program to  exploit the
    vulnerability.  The exploit is available from

        http://teso.scene.at/ or https://teso.scene.at/
        http://www.cs.uni-potsdam.de/homepages/students/linuxer

SOLUTION

    The author and the distributor  has been informed before.   Remove
    the suid bit of kreatecd.