Bug 880894 – VUL-0: CVE-2014-0476: chkrootkit: Unsafe invocation in slapper()

Bug 880894 - (CVE-2014-0476) VUL-0: CVE-2014-0476: chkrootkit: Unsafe invocation in slapper()

(CVE-2014-0476)
Summary:	VUL-0: CVE-2014-0476: chkrootkit: Unsafe invocation in slapper()

Status:	RESOLVED WONTFIX

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	General
Version:	unspecified
Hardware:	Other openSUSE 12.3

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assigned To:	Sebastian Krahmer
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:running:57617:important
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2014-06-02 07:58 UTC by Johannes Segitz
Modified:	2016-04-27 19:12 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2014-06-02 07:58:27 UTC

Via distros (From: Giuseppe Iuculano <iuculano@debian.org>).

Thomas Stangner reported the following chkrootkit vulnerability.

CRD: 03.06.2014 18:00 UTC

This vulnerability may allow local attackers to gain root access to a box in certain configurations (/tmp not mounted noexec).

The vulnerability is located in the function slapper() in the
shellscript chkrootkit:

#
# SLAPPER.{A,B,C,D} and the multi-platform variant
#
slapper (){
   SLAPPER_FILES="${ROOTDIR}tmp/.bugtraq ${ROOTDIR}tmp/.bugtraq.c"
   SLAPPER_FILES="$SLAPPER_FILES ${ROOTDIR}tmp/.unlock ${ROOTDIR}tmp/httpd \
   ${ROOTDIR}tmp/update ${ROOTDIR}tmp/.cinik ${ROOTDIR}tmp/.b"a
   SLAPPER_PORT="0.0:2002 |0.0:4156 |0.0:1978 |0.0:1812 |0.0:2015 "
   OPT=-an
   STATUS=0
   file_port=

   if ${netstat} "${OPT}"|${egrep} "^tcp"|${egrep} "${SLAPPER_PORT}">
/dev/null 2>&1
      then
      STATUS=1
      [ "$SYSTEM" = "Linux" ] && file_port=`netstat -p ${OPT} | \
         $egrep ^tcp|$egrep "${SLAPPER_PORT}" | ${awk} '{ print  $7 }' |
tr -d :`
   fi
   for i in ${SLAPPER_FILES}; do
      if [ -f ${i} ]; then
         file_port=$file_port $i
         STATUS=1
      fi
   done
   if [ ${STATUS} -eq 1 ] ;then
      echo "Warning: Possible Slapper Worm installed ($file_port)"
   else
      if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
         return ${NOT_INFECTED}
   fi
}


The line 'file_port=$file_port $i' will execute all files specified in
$SLAPPER_FILES as the user chkrootkit is running (usually root), if
$file_port is empty, because of missing quotation marks around the
variable assignment.

Steps to reproduce:

- Put an executable file named 'update' with non-root owner in /tmp (not
mounted noexec, obviously)
- Run chkrootkit (as uid 0)

Result: The file /tmp/update will be executed as root, thus effectively
rooting your box, if malicious content is placed inside the file.

If an attacker knows you are periodically running chkrootkit (like in
cron.daily) and has write access to /tmp (not mounted noexec), he may
easily take advantage of this.


Suggested fix: Put quotation marks around the assignment.

file_port="$file_port $i"

Comment 1 Swamp Workflow Management 2014-06-02 09:36:42 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2014-06-09.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/57617

Comment 2 SMASH SMASH 2014-06-02 09:40:11 UTC

Affected packages:

SLE-11-SP3: chkrootkit

Comment 3 Johannes Segitz 2014-06-02 09:40:44 UTC

Please ignore the WF in SWAMP, this is openSUSE 12.3 only.

Comment 4 Swamp Workflow Management 2014-06-02 22:00:26 UTC

bugbot adjusting priority

Comment 5 Johannes Segitz 2014-06-04 09:22:33 UTC

is public (http://www.debian.org/security/2014/dsa-2945)