Cdrecord can call external programs specified by the RSH environment variable. This may permit a malicious local user to gain elevated privileges.
Cdrecord is an application used to create data or audio compact discs. Cdrecord permits the use of CD recorders on remote machines via an access program on the local machine. This access program is specified in the RSH environment variable. Cdrecord fails to drop the effective user ID (euid) when calling the program specified by the RSH environment variable.
By specifying a shell script of their own devising, malicious local users can execute arbitrary code with permissions of the cdrecord program. If cdrecord is suid root, the arbitrary code will run with root permissions.
This issue is resolved in cdrtools 2.01, available at the cdrecord download page.
In general, do not run programs as setuid root if such a permission level is not required.
Apple Computer Inc. Not Affected
FreeBSD Not Affected
Juniper Networks Not Affected
Openwall GNU/*/Linux Not Affected
Cray Inc. Unknown
EMC Corporation Unknown
Hewlett-Packard Company Unknown
IBM eServer Unknown
Ingrian Networks Unknown
MontaVista Software Unknown
NEC Corporation Unknown
Red Hat Inc. Unknown
Sony Corporation Unknown
SuSE Inc. Unknown
Sun Microsystems Inc. Unknown
Wind River Systems Inc. Unknown
Thanks to Max Vozeler for reporting this vulnerability.
This document was written by Will Dormann.
|Date First Published:||2004-09-16|
|Date Last Updated:||2004-09-17 19:13 UTC|