Public Vulnerability Reports

Buffer overflow in linuxconf

08.28.02

BACKGROUND

Linuxconf is a sophisticated administration system for the Linux operating system. More information about it is available at http://www.solucorp.qc.ca/linuxconf/.

DESCRIPTION

If the LINUXCONF_LANG environment variable processes at least 964 bytes of data, a buffer overflow occurs, thereby allowing an attacker to modify the return address of the function and execute arbitrary code with root permissions. iDEFENSE has exploit code that allows a local user to launch a root shell on Red Hat Linux 7.3 by targeting linuxconf
1.28r3.

ANALYSIS

According to Jacques Gelinas, author of linuxconf:

"Linuxconf picks the variable and uses it to format a path using snprintf. This works fine. In fact, the receiving buffer is PATH_MAX large so even a 1000 characters variable will not overflow it and even if this were the case, snprintf would do its work. Once the path is formatted, the corresponding file is opened. If the file does not exist, an error message is formatted in a string. This was the problem and sprintf was used instead of snprintf there. There are two fixes. One is to use snprintf to format error message at this place and the other is to look for appropriate length for this variable (max 5 characters)
immediately when it is found."

DETECTION

This vulnerability affects any version of linuxconf (essentially 6 years worth of distributions) that is installed setuid root. Generally, the four ways in which this utility can be installed setuid are:

1. Shipped by vendor (Red Hat does not ship linuxconf setuid, but Mandrake does as do other Linux vendors)
2. Installed by RPM from the main site (http://www.solucorp.qc.ca/linuxconf/) for each particular Linux OS (installs setuid root by default)
3. Installed by source code also from main site(http://www.solucorp.qc.ca/linuxconf/) but prompts for whether
to install setuid root
4. Installed in ways 1, 2, or 3, and manually set to setuid root by the user for added functionality.

WORKAROUND

Remove the setuid bit from the linuxconf binary using the following command:

$ chmod u-s /bin/linuxconf

VENDOR RESPONSE

iDEFENSE immediately contacted Jacques Gelinas at jack@solucorp.qc.ca. He provided a source code patch. iDEFENSE verified that the vulnerability is mitigated in linuxconf 1.28r4. This version should be available as of August 28, 2002, at
http://www.solucorp.qc.ca/linuxconf/download.hc.

CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has not assigned an identification number to this issue.

DISCLOSURE TIMELINE

08/09/2002 Issue disclosed to iDEFENSE
08/19/2002 Issue disclosed to vendor
08/19/2002 Issue disclosed to iDEFENSE clients
08/21/2002 Announcement made to vendor-sec@lst.de
08/28/2002 Coordinated public disclosure by iDEFENSE, Linux vendors and Linuxconf maintainer

CREDIT

Euan Briggs (euan_briggs@btinternet.com) is credited with discovering this bug.