tigerteam.se security advisory - TSEAD-200510-4 www.tigerteam.se Advisory: Local root vulnerabilities in F-Secure's FSGIK Date: Mon Oct 31 15:00:41 CET 2005 Application: F-Secure's Internet Gatekeeper <2.10-431 Vulnerability: Lack of properly handling suid wrapping allows for root inheritance Reference: TSEAD-200510-4 Author: Xavier de Leon SYNOPSIS http://www.f-secure.com/products/anti-virus/fsigk/: "F-SecureŽ Internet Gatekeeper. is a high-performance and fully automated antivirus and content filtering solution for protecting corporate e-mail (SMTP) and web traffic (HTTP, FTP over HTTP) at the Internet gateway. In addition to virus protection, the solution provides spam filtering, content filtering and access control. Thus, the solution does not only improve security, but it also improves employee productivity, reduces legal liability concerns and saves network bandwidth." The vulnerability itself is not so complex, and it wouldn't be worth an advisory if it were not for the fact that the attacker is able to inherit root, in most cases at least. The vulnerable sripts in question are installed suid and usually with world executable rights. The vulnerability itself is based around the same line of code, In 17 different bins. It goes as follows: main(){execl("./{file}.cgi","{file}.cgi",0);} All the attacker has to do is write an arbitrary shell script in a writable directory, and call the proper {file}_suid.cgi file. That's pretty much it. The vulnerability lies in the execl -- by executing a file in the current directory, instead of from a trusted path. This can also be exploited by creating an arbitrary file called "common.ph" with perl function: parse_query() that contains something nasty. You can then softlink the target non-suid .cgi file properly -- and call the suid counterpart that calls said cgi file. VENDER RESPONSE First contact: Sep 29, 2005 11:04 PM Reply: Oct 6, 2005 9:29 AM Reply 2: Oct 31, 2005 VULNERABILITIES 1) ifconfig_suid.cgi calls "./ifconfig.cgi" 2) reboot_suid.cgi calls "./reboot.cgi" 3) proxy_suid.cgi calls "./proxy.cgi" 4) edittmpl_suid.cgi calls "./edittmpl.cgi" 5) version_suid.cgi calls "./version.cgi" 6) hostname_suid.cgi calls "./hostname.cgi" 7) gateway_suid.cgi calls "./gateway.cgi" 8) halt_suid.cgi calls "./halt.cgi" 9) edituserdb_suid.cgi calls "./edituserdb.cgi" 10) htpasswd_suid.cgi calls "./htpasswd.cgi" 11) pattern_up_suid.cgi calls "./pattern_up.cgi" 12) license_suid.cgi calls "./license.cgi" 13) iptables_suid.cgi calls "./iptables.cgi" 14) dns_suid.cgi calls "./dns.cgi" 15) pattern_autoup_suid.cgi calls "./pattern_autoup.cgi" 16) spam_list_suid.cgi calls "./spam_list.cgi" 17) diag_suid.cgi calls "./diag.cgi" EXPLOIT The following attachment is encrypted with GnuPG (gpg) using a symmetric cipher (passphrase). To extract the exploit you can simply run: gpg -d TSEAD-200510-4.txt > fsigk_exploit.py ; chmod +x fsigk_exploit.py We will disclose the password on the front page of www.tigerteam.se in the near future... stay tuned. -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.1 (GNU/Linux) jA0ECQMC5oIBhGRNQt1g0uoBV1DbT2g6uVyLnQVeQsFEMy1uAVTpVgUa5uIIeZsT 08F4EkT7SRomiebR9FKdJg0Vg7tDrXm8RM10qz553k4ILPwtYmUvSx9LeKWhW6CD DVojNQZEejHJqXwUu7wSq1ZUrG/wBozHojkImaQv86j9OHDWN6JlS7qB8uRZeT0p oJHI+U/+ixPdIKJ4FF8HVxAMAtiSgxOv2zgK15xH7vbBxtakrUY+QYOl30Hs+9BW R5S/s4AgVwIicUcntwbQfFUO580R+5Bs/Q6H1r2Ux/zgfRrM3mnqKwfKJ3I05h3F AyOE8P4ZFifejCQO7/Htcmcy1NPi9ONspB5R5cbkVnGaNuqNFR7YbzRByWgMZdBF 3l0nD4xcssksUfYhDuvAcjqLbnbdm23e/1WT0+mKgpQK05qXyzkgM3aCknkHb8hC aXNxu1/+aFWnw9tfM3R9xTfsDZRU2msdQdTFBxD26x+yMt9yh6PPb17brf//XJOn 9UYmqcozZZdh51LgbU68zG5M2dTrYocJ/MUJ5e4SgbKSXmLK5Jg65YvvuvNCwG3u 0doZfgkIsFjP7xQDHH3SXlzmjk+Ywd57Fk63v53t2Dis6n/vzDCv8OpgmFpvRlL8 3LILjPxYiEaOVmImnXgpyVa793Vs2l79fxL2akqr2gD5xkDCEBP6SsgGyQhX0VF1 LNTLofpEr+iY1z/pkdfZw06j8W8xqDRFs3m8ezV9VlwHRGtlKbflZpnjAukXP74G DsPTUAwxf7uUyzWScsSUqsuHg4y6T+HDPq3At8wAFjrNr1ARWLks/cl3gFmFmZrR R1a2P+bl9Ia+XDmkX1INawKtNpprqZ3yxGlEvdaLtaduiQwBH25VtrermVkUFpvL jdgs1t79+TZJ/23ltNJ9ij1zRdQZKH9N4vs23mzputuHGoQRiGMq8KuR/TLtKDMx shEDz8ejQ2SDE903ruwKLo2iORLd+r+LcyMZcE+Ixv3CwjnX9jjoDY1Ax/jWP0Lo X0FMYh8cdUQ5DXdXQ4HsGeXLgOkNW7NKrl715qOPPKmc7BIhL3okAU1XJmiJRwjA 05XY4YVCq4Tp4newDe7AEEpkPyP3c6YOZTuU4PbMQ/Zs/Ef2xn4Id7rpSWdvIZze GuDCmIFMnOxbPe3eng3coRkpbFmUw7Ywn2Hi0cUnjz+s6DFjZUqrPyfwmWYs0K4q ivCil2Qa3leufkU1UdTTV85e4V/RC0mxjtO+gWhNjLXXruUa9KDD6hPQ0/JcTwSb 0lOVU2PW9QMoJtPDejF9+6LHcoLhdsgQCoLD6h+jQ8GxmlUBJ+2DIfXZ0LRh1jH+ o1Jn+4OWu+UO6VWsNG2rys9+hXW2jN+12ayeu8YR2oJE6XNOykyM1YuMVdFkiyPV 1rC826LNEv+oVmFXgKMA1G5L9U8vDR+4gB3iyk1facFvo7TtN1ivY1jQamtQa3JU hxhRH+lpt7K5TqlMxlMHhyp6o92Y108YUnm0BoUThZAyBBf5RAfdIeOwGIh7Y9Yr RPTKUxVWoNfWL0ewvIap3xt/7nnyJXAC8iVZsyvNxq1JadxmQZcjbfdBWZslC/wt BaERGYdXJtpVxC2TiYvcFEfJgVGaWHA4HL9VP3hQI2Mo3BsVibvNLGSbJMm4xZyJ B4Szd7EdqWCK2rY8yZ+5+bGxTC9unmCRHJbFE7T631ecmok4ElFRn2Q5gf4ModXh mfJycQsODxATeU9me86CNrrUC4pUuJ/d89FjVNHEOMzScKa0GrmRbex/+rd40rZM 9+4XXkcxqPpluNwkHh229TOPhMBbAq4be5SMGXrv2a72ZPk6hXWy0D/SR6FnpIgu 6m8u3HVqQxEf2Xm8RzmMQqduDMp39w17ld7Zx/GmO4Kndtn6I8zhhCEr/D6NPaC/ +1AHmCFreOTwykZUYGWg+t1yOmYsGvZuOLEYT/S75BYHkcSum9K8AL5e9Opi8CNn eQ0WC1waHYIDosA0QLnmj6H0KEHqJHzKnYjec4EtDwQ1sXphjK8RObl1E29Ytl0y EtPgiHF6RwnwxNCp+3lgT+cFwTzPT9Nc34RzHfFIXXpT3Jd5RR9iyNp8HXur9E6a FGAvOvFDjS3RV4eTsB2L2Cywu3ZAMOpRlk/qT507ysm3Q4atomNxai50p+kHoZ5P yIFPCDr+Zn018ZMToxFYB3VEMw7FfdaP4dmQ6TUKAf8ZodhzxfCTKHm3ofUfUG+K 9Zj9Vc/oL64wq/8DL50R8vDsMVMOFN9VyplzjkXYmpZFSKu8Mvp4KGUzKQMebgF1 rLgn5Qipya+250NawKvA0aTJq5aBPAErQ8SWevjyOdZFXkHq9g6FLEXFtvDUX0Tp TfM1LFs4CMD353dj1+mlHnvrqinbTnDLRNvGj6dYf+6ryWdAg+YuHMoGdg8k43WH rL2S+db0Kd44+BN4MIpTBSRZF227y+kyCf0JkUhDT7jCoxWpHTXaYZnI22zDgRkE Ta+04utyfFU16vJLA8dq7hPLzZTeX13Yz3ZkGzQOS5ZceAkYOidBmwlz9ZK4tjSs 2A0taJ73D2uCPdvbegZ3fUlcbNdUL1NOFYfPB4vM0ZOGhDXOSsTCMwnJMKV/FJBs YEYhGI9TY9RCpg8VCqcWbx/5+AsXf9KmenBVHv7fIEzTRTbKOFdMcB0MxdiCvRYg 7qsDX4VCZ657qnIjRue/HUGPfSPWtV38cse5PCHxsgHueOWTs1339+JfvVZuj6Lc =sx9/ -----END PGP MESSAGE----- DISCOVERY Xavier de Leon ACKNOWLEDGMENTS I would like to thank the following people in no particular order: to all the brothers in p-e and uDc, you know who you are. ABOUT TIGERTEAM.SE tigerteam.se offers spearhead competence within the areas of vulnerability assessment, penetration testing, security implementation, and advanced ethical hacking training. tigerteam.se consists of Michel Blomgren and Xavier de Leon. Together we have worked for organizations in over 15 countries.