Cdrecord can call external programs specified by the RSH environment variable. This may permit a malicious local user to gain elevated privileges.
Cdrecord is an application used to create data or audio compact discs. Cdrecord permits the use of CD recorders on remote machines via an access program on the local machine. This access program is specified in the RSH environment variable. Cdrecord fails to drop the effective user ID (euid) when calling the program specified by the RSH environment variable.
By specifying a shell script of their own devising, malicious local users can execute arbitrary code with permissions of the cdrecord program. If cdrecord is suid root, the arbitrary code will run with root permissions.
This issue is resolved in cdrtools 2.01, available at the cdrecord download page.
In general, do not run programs as setuid root if such a permission level is not required.
Thanks to Max Vozeler for reporting this vulnerability.
This document was written by Will Dormann.
|Date First Published:||2004-09-16|
|Date Last Updated:||2004-09-17 19:13 UTC|