mailing list archives
Re: Corel Linux 1.0 dosemu default configuration: Local root vuln
From: peak () ARGO TROJA MFF CUNI CZ (Pavel Kankovsky)
Date: Sat, 4 Mar 2000 18:11:30 +0100
On Tue, 2 Mar 100 suid () SUID KG wrote:
Local users can take advantage of a packaging and configuration
error (which has been known and documented for a long time) to
execute arbitrary commands as root.
I can not speak for DOSEMU developers but it is my impression you are
supposed to know what you are doing, what risk you accept (and the risk
in far from negligible), and the ways the risk can be mitigated ("secure
on", "dpmi off" (*), /etc/dosemu/users) if you install DOSEMU setuid root,
and that installing it in this way by default in the name of user-
friendliness or whatever is a VERY BAD THING. Whether the package includes
system.com binary or not is irrelevant (**). Yes, I know Corel is not the
only vendor who is guilty--even if we limit ourselves to Linux distros
(in fact, the package in question is probably an unmodified Debian
(*) I wonder whether newer versions of doc/README/SECURITY mention that
(at least according to what I heard from Hans Lermen) DPMI programs can
invoke Linux syscalls directly and circumvent any walls DOSEMU itself
raised to protect itself (unless some incredibly creative protection was
invented since version 0.97).
(**) As long as a user can make the virtual machine execute arbitrary
code (I'd like to see a useful installation making this impossible), he
can create and run his own program calling the problematic subfunction of
interrupt 0xE6 (or doing other nasty things).
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."