Date: Tue, 28 May 2002 06:37:28 -0400
From: KF <[email protected]>
To: [email protected], [email protected]Subject: Xandros based linux autorun -c
There is a new debian based distro called Xandros making its way on to the market.I believe the developers from Corel Linux are on board with Xandros. It has at least one public beta and another on the way and I know of at least one OS that uses it as its backend. I got a chance to play on a couple of Xandros based distros and came up with a few security issues.
Due to some extremely sketchy wording on disclosure by one of the above mentioned distros I will refrence all distros in general as a "Xandros based flavor of linux". I can not verify that the holes are shared in all flavors.
The first issue I am going to disclose is in the setuid autorun binary. If this binary is called with the command line argument -c and any file name you are able to read the first line of that file... for example /etc/shadow.
exploit: autorun -c /etc/shadow
Here is part of the response from the developer regarding only this issue... I just informed them of 6 others that I am aware of.
---------- Author or Developers response ----------------
I have fixed the bug in autorun. There will be a new package posted
for Xandros Desktop Beta 2. A fix for Beta 1 will not be provided as we
are not supporting older beta releases in any way. Lindows.com has been
notified as well, but we have yet to hear back from them.
As soon as our QA department gives us the green light, a notice will be
posted to the beta newsgroups and the new package will be posted on the
ftp site.
---------------------------------------------------------
http://www.snosoft.com
-KF