Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Subject: Corel Linux 1.0 local root compromise
Date: Fri Feb 25 2000 - 00:28:36 CST
- Next message: Christophe GRENIER: "Scorpion Marlin"
- Previous message: Fernando Schapachnik: "Re: A DDOS defeating technique based on routing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
suidsuid.kg - Corel xconf utils local root (among others) vulnerability.
Advisory Author: suidsuid.kg
Software: Corel Linux 1.0 xconf utilities
Version: Version 1.0
Platforms: Corel Linux only.
Local users can take advantage of lack of input validation and
the lack of privilege dropping to gain root access, or perform
a denial of service attack on Corel Linux systems.
There are multiple vulnerabilities. I know I have missed some
here. For example, I saw some /tmp files being used with the
return value of time(NULL) as an attempt at selecting a unique
filename. I haven't written these up here however.
(1) Appending garbage XF86Config data to any file on the system
/sbin/buildxconf does no input validation and is setuid root.
Invoking it with the -f argument, a user can specify a filename
to output to. Example /etc/shadow.
(2) Replacing the first line of any existing file with garbage.
As above, no input validation. When invoked with the -x
command buildxconf replaces the first line of the specified
file with the path/filename of an X server. An effective
denial of service against /etc/passwd root account.
(3) Create root owned world writable files anywhere on the file system.
Again, buildxconf does no input validation or directory
permission checks. specifying -x or -f on a non existent
filename creates that file mode 0666. Set your umask to 0.
(4) Executing arbitrary commands with euid root.
A touch different. /sbin/setxconf allows users to test X configs
with the -T switch. This process eventually invokes xinit with
euid root. A quick look at the xinit man page will tell you
that xinit looks at ~/.xserverrc and will execute things in there
In the interests of keeping this post short I have left the rest of this
advisory off. If your interested in exploit/workaround information visit: