Bugtraq mailing list archives
Re: Vunerability in Lizards game
From: alex_murray () VNET IBM COM (Alex Murray)
Date: Wed, 12 Nov 1997 14:56:35 -0500
SUID shared,
Recently looking through the source of the suid root game called Lizards I noticed a vunerablity which is incredibly trivial to allow regular users at the console gain unauthorized root access.
....
privilidges, it executes "clear" (supposed to be /usr/bin/clear) as root,
....
Lame fix: chmod -s /usr/games/lizardlib/lizardshi Better fix: Change the source code, recompile lizards to reference "clear" absoloutley.
Even if you change system("clear") to system("/usr/ucb/clear"), the user can still invoke lizards in a /bin/sh environment where IFS contains the "/" character and simply provide something called "usr" in their path which invokes a root shell. Unless Linux does something clever to prevent this, or unless lizards is smart enough to check the IFS environment variable, that is. In a brand spanking new AIX 3.2.5 system, the /usr/lpp/servinfo/servinfo command (if installed) contains this sort of creature; if the /usr/lpp/servinfo/data/siAPARs.db.Z file has not yet been uncompressed, servinfo executes a system call to /usr/bin/uncompress -f to make it happen. The servinfo command is mode 4755 owned by root and trusts the environment you give it. On occasion this has come in handy. :) I have also seen patched systems where servinfo is owned by nobody. (I don't have the PTF number handy, surf the IBM web site for more info.) Then again, it's occasionally useful to be known as nobody, too... _Alex #include <std/disclaim.h> _____________________________________________________________________________ Alex Murray alex_murray () vnet ibm com IBM Canada, Call Centre Solutions +1 905 316-4243 fax 316-2156 _http://www.can.ibm.com/ccs__________________________________________________
Current thread:
- Re: Intel Pentium Bug, (continued)
- Re: Intel Pentium Bug Ralf Baechle (Nov 10)
- Re: Intel Pentium Bug Barry Irwin (Nov 08)
- Re: Intel Pentium Bug Bjorn Wesen (Nov 08)
- Re: Intel Pentium Bug Peter Bierman (Nov 08)
- Re: Intel Pentium Bug Aleph One (Nov 08)
- Microsoft Office security bug Aleph One (Nov 07)
- Re: Microsoft Office security bug Inigo Gonzalez (Nov 11)
- What were the opcodes to hang a Pentium again? (fwd) Darren Reed (Nov 11)
- Re: Microsoft Office security bug Aleph One (Nov 11)
- Vunerability in Lizards game SUID (Nov 11)
- Re: Vunerability in Lizards game Alex Murray (Nov 12)
- Re: Vunerability in Lizards game Olaf Titz (Nov 13)
- Re: Vunerability in Lizards game Kragen \ (Nov 13)
- Re: Vunerability in Lizards game Neil Levine (Nov 17)
- Re: Vunerability in Lizards game Joe Zbiciak (Nov 18)
- Re: Vunerability in Lizards game Zoltan Hidvegi (Nov 18)
- Major Security Flaw in Cybercash 2.1.2 Kerri Kraft (Nov 19)
- IP DOS attacks -- Win95 and WinNT Paul Leach (Nov 18)
- Microsoft Office security bug Aleph One (Nov 07)
- Updating microcode on the fly Superuser (Nov 12)
- Re: Updating microcode on the fly Jyri Kaljundi (Nov 12)
- solaris 251 & syslogd Michael Helm (Nov 12)