54169 – (CVE-2004-0233) VUL-0: CVE-2004-0233: utempter: "von hinten durch die brust ins knie" symlink attack

Bug 54169 (CVE-2004-0233) - VUL-0: CVE-2004-0233: utempter: "von hinten durch die brust ins knie" symlink attack

Summary: VUL-0: CVE-2004-0233: utempter: "von hinten durch die brust ins knie" symlink...

Status:	RESOLVED FIXED

Alias:	CVE-2004-0233

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	All Linux

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Thomas Biege
QA Contact:	Security Team bot

URL:
Whiteboard:	CVE-2004-0233: CVSS v2 Base Score: 2....
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2004-04-20 16:17 UTC by Thomas Biege
Modified:	2021-10-01 08:01 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
patchinfo-box.utempter (447 bytes, text/plain) 2004-04-20 17:51 UTC, Thomas Biege	Details
patchinfo.utempter (407 bytes, text/plain) 2004-04-20 17:51 UTC, Thomas Biege	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Biege 2004-04-20 16:17:39 UTC

Hello Olaf, 
are we affected too? 
 
 ______________________________________________________________________ 
 
 Problem Description: 
 
 Steve Grubb discovered two potential issues in the utempter program: 
 
 1) If the path to the device contained /../ or /./ or //, the 
 program was not exiting as it should. It would be possible to use something 
 like /dev/../tmp/tty0, and then if /tmp/tty0 were deleted and symlinked 
 to another important file, programs that have root privileges that do no 
 further validation can then overwrite whatever the symlink pointed to. 
 
 2) Several calls to strncpy without a manual termination of the string. 
 This would most likely crash utempter. 
 
 The updated packages are patched to correct these problems. 
 _______________________________________________________________________ 
 
 References: 
 
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0233 
 ______________________________________________________________________

Comment 1 Thomas Biege 2004-04-20 16:17:39 UTC

<!-- SBZ_reproduce  -->
-

Comment 2 Olaf Kirch 2004-04-20 16:49:44 UTC

utmp entries aren't supposed to be 0 terminated. 
 
	String fields are terminated  by '\0' if they are shorter 
	than the size of the field. 
 
The exit thing is a bug, and it can probably be exploited to write to 
files owned by group tty (e.g. by using wall or write). Or you could 
do a "talk root", and if root talks back he ends up opening your fake 
tty, and everything he types into his window will go to that file instead 
of your tty. So in order to exploit this hole all you need to do is get 
root to type "<return>toor::0:0:please hack me:/:<return>". I'm sure 
every root user will happily oblige. 
 
I think it's a minor problem. I'm fixing it in stable; if you want 
packages for older products as well, let me know

Comment 3 Thomas Biege 2004-04-20 17:41:20 UTC

The bug alone is a minor issue but has the potential to become more dangerous 
in conjunction with other minor bugs. 
To be honest I don not have an example but you know this feeling burning in 
the belly... 
Therefore it would be better to fix older version too. 
 
I'll attach the patchinfo files and create the routing slip ASAP.

Comment 4 Sebastian Krahmer 2004-04-20 17:42:26 UTC

CAN-2004-0233

Comment 5 Thomas Biege 2004-04-20 17:51:21 UTC

Created attachment 18443 [details]
patchinfo-box.utempter

Comment 6 Thomas Biege 2004-04-20 17:51:54 UTC

Created attachment 18444 [details]
patchinfo.utempter

Comment 7 Olaf Kirch 2004-04-20 17:56:26 UTC

submitted fixed packages to 8.0, 8.1, 8.2, 9.0, 9.1, stable

Comment 8 Sebastian Krahmer 2004-04-27 17:14:58 UTC

Whats new here? Is there laufzettel etc.? Thomas, can you take care
about it?

Comment 9 Thomas Biege 2004-04-28 16:03:26 UTC

I'll... 
 
Date: Tue, 20 Apr 2004 11:50:04 +0200 (CEST) 
From: Thomas Biege <thomas@suse.de> 
To: pama-laufzettel@suse.de 
Subject: [pama-laufzettel] [patch][NR 0641] utempter 
 
Subject: [patch][NR 0641] utempter 
[...]

Comment 10 Thomas Biege 2004-04-28 16:12:34 UTC

Hi Olaf, 
I am missing the packages in the autobuild queue 
and just saw an old utempter package in /work/src/done/DISCARDED. 
That old one is: 
Mon Mar  1 10:41:16 CET 2004 - okir@suse.de 
 
- use stat64 to prevent stat calls from choking on minor 
  numbers >= 256 (#35184) 
 
No indications about problems with your package on suse-dist either... 
am I blind?

Comment 11 Marcus Meissner 2004-04-28 16:20:25 UTC

this discarded chekin was a wrong solution to a problem we 
saw on powerpc. this has been fixed otherwise. 
 
Olafs utempter fix has been checked in already: 
/work/SRC/old-versions/9.1/SLES/all/utempter/*es 
------------------------------------------------------------------- 
Tue Apr 20 11:48:09 CEST 2004 - okir@suse.de 
 
- Fix incorrect check for /../ in path names (#39169)

Comment 12 Thomas Biege 2004-04-28 16:39:37 UTC

Ok, but I miss the older versions...

Comment 13 Olaf Kirch 2004-04-28 16:48:09 UTC

or x in /work/SRC/REPOSITORY/utempter /work/SRC/all/BASE/utempter /work/SRC/old-versions/8.0/all/utempter /work/SRC/old-versions/8.1/UL/all/utempter /work/SRC/old-versions/8.2/all/utempter /work/SRC/old-versions/9.0/all/utempter /work/SRC/old-versions/9.1/SLES/all/utempter; do echo $x; head -4 $x/utempter.changes|grep '^- '; done
/work/SRC/REPOSITORY/utempter
head: /work/SRC/REPOSITORY/utempter/utempter.changes: No such file or directory
/work/SRC/all/BASE/utempter
- Fix incorrect check for /../ in path names (#39169)
/work/SRC/old-versions/8.0/all/utempter
- Fix incorrect check for /../ in path names (#39169)
/work/SRC/old-versions/8.1/UL/all/utempter
- Fix incorrect check for /../ in path names (#39169)
/work/SRC/old-versions/8.2/all/utempter
- Fix incorrect check for /../ in path names (#39169)
/work/SRC/old-versions/9.0/all/utempter
- Fix incorrect check for /../ in path names (#39169)
/work/SRC/old-versions/9.1/SLES/all/utempter
- Fix incorrect check for /../ in path names (#39169)

Comment 14 Thomas Biege 2004-04-28 16:57:24 UTC

Olaf, 
I did not see puonftp messages on security-intern@. Was the security flag 
missing for the patchinfos?

Comment 15 Olaf Kirch 2004-04-28 17:19:34 UTC

I didn't submit putonftp/patchinfo files. I submitted the fixed packages before
you attached them to the report.

Comment 16 Thomas Biege 2004-04-28 18:00:50 UTC

:((( 
Hmmm... can Rudi put them on FTP when he gets the patchinfo files... Olaf, do 
you know?

Comment 17 Olaf Kirch 2004-04-28 18:11:31 UTC

Sorry, I forgot. But I think it's possible to submit putonftp files
afterwards.

Comment 18 Marcus Meissner 2004-04-28 18:25:45 UTC

a patchinfo file always collects the current version in autobuild. So of 
course, just submit a patchinfo and it will be correct.

Comment 19 Thomas Biege 2004-04-28 19:39:45 UTC

sumbitted patchinfo files and sent a message to suse-dist...

Comment 20 Thomas Biege 2004-05-12 20:33:44 UTC

packages approved

Comment 21 Thomas Biege 2009-10-13 20:20:10 UTC

CVE-2004-0233: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)