Re: Vunerability in Lizards game

[alex_murray () VNET IBM COM (Alex Murray)]

SUID shared,
> Recently looking through the source of the suid root game called Lizards I
> noticed a vunerablity which is incredibly trivial to allow regular users
> at the console gain unauthorized root access.
....
> privilidges, it executes "clear" (supposed to be /usr/bin/clear) as root,
....
> Lame fix:   chmod -s /usr/games/lizardlib/lizardshi
> Better fix: Change the source code, recompile lizards to reference "clear"
>             absoloutley.

Even if you change system("clear") to system("/usr/ucb/clear"), the user can
still invoke lizards in a /bin/sh environment where IFS contains the "/"
character and simply provide something called "usr" in their path which
invokes a root shell.  Unless Linux does something clever to prevent this, or
unless lizards is smart enough to check the IFS environment variable, that is.

In a brand spanking new AIX 3.2.5 system, the /usr/lpp/servinfo/servinfo
command (if installed) contains this sort of creature; if the
/usr/lpp/servinfo/data/siAPARs.db.Z file has not yet been uncompressed,
servinfo executes a system call to /usr/bin/uncompress -f to make it happen.
The servinfo command is mode 4755 owned by root and trusts the environment you
give it.  On occasion this has come in handy. :)

I have also seen patched systems where servinfo is owned by nobody.  (I don't
have the PTF number handy, surf the IBM web site for more info.)  Then again,
it's occasionally useful to be known as nobody, too...

_Alex
 #include <std/disclaim.h>

_____________________________________________________________________________
 Alex Murray                                        alex_murray () vnet ibm com
 IBM Canada, Call Centre Solutions              +1 905 316-4243 fax 316-2156
_http://www.can.ibm.com/ccs__________________________________________________