mailing list archives
TESO & C-Skills development advisory -- imwheel
From: krahmer () CS UNI-POTSDAM DE (Sebastian)
Date: Thu, 16 Mar 2000 14:38:47 +0100
-----BEGIN PGP SIGNED MESSAGE-----
TESO Security Advisory
imwheel local root compromise
A vulnerability within the imwheel application for Linux has been
discovered. Some of these packages are shipped with an suid-root
wrapper-script that invokes the insecure program 'imwheel' with UID 0.
Any system which has imwheel-solo wrapper-script installed as set-UID root.
Among the vulnerable distributions (if the package is installed) are the
Halloween Linux Version 4 - imwheel package from the
[stealth () liane stealth]$ id
uid=500(stealth) gid=500(stealth) groups=500(stealth)
[stealth () liane stealth]$ cd imhack/
[stealth () liane imhack]$ stat `which imwheel-solo`
Size: 795 Filetype: Regular File
Mode: (4755/-rwsr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Device: 3,1 Inode: 214472 Links: 1
Access: Mon Mar 13 17:32:22 2000(00000.00:04:38)
Modify: Mon Nov 1 23:41:15 1999(00132.17:55:45)
Change: Sun Mar 12 17:49:43 2000(00000.23:47:17)
[stealth () liane imhack]$ cc imexp.c
[stealth () liane imhack]$ ./a.out
You can also add an offset to the commandline.
Get the real deal at http://www.cs.uni-potsdam.de/homepages/students/linuxer
Respect other users privacy!
Invoking vulnerable program (imwheel-solo)...
imwheel is not running as a daemon.
imwheel is not checking/writing a pid file, BE CAREFUL!
An imwheel may be running already, two or more imwheel processes
on the same X display, or using gpm -W, will not operate as expected!
imwheel started (pid=1385)
Knocking on heavens door...
uid=0(root) gid=500(stealth) groups=500(stealth)
An attacker may gain local root-access to a system where vulnerable imwheel
package is installed. Even if it should not be possible for him to get a
root-shell (f.e. due to a non-exec stack-patch) he can use the suid-root
perlscript to kill arbitrary processes.
The suid-root perlscript 'imwheel-solo' invokes the 'imwheel' program with
Due to inaccurate bounds-checking an internal stack-located buffer can
be overflowed by an attacker. The 'imwheel' program doesn't bounds-check
the string it gets from the HOME environment variable.
Further the wrapper-script which runs privileged can be fooled into sending
a SIGTERM signal to arbitrary processes, causing them to die.
This problem appears because imwheel-solo blindly trusts any PID given by a
The author and the distributor has been informed before.
A patch is not yet available. Just remove the suid wrapper-script.
The bug-discovery and the demonstration programs are due to S. Krahmer .
The shell-code is due to Stealth.
This advisory has been written by S. Krahmer.
The TESO crew can be reached by mailing to teso () coredump cx
Our web page is at https://teso.scene.at/
C-Skills developers may be reached through .
 S. Krahmer, C-Skills
http://teso.scene.at or https://teso.scene.at/
This advisory does not claim to be complete or to be usable for any
purpose. Especially information on the vulnerable systems may be
inaccurate or wrong. The supplied exploit is not to be used for malicious
purposes, but for educational purposes only.
This advisory is free for open distribution in unmodified form.
Articles that are based on information from this advisory should include
link  and .
We've created a working demonstration program to exploit the vulnerability.
The exploit is available from
http://teso.scene.at/ or https://teso.scene.at/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----