Bugtraq mailing list archives
Re: Corel Linux 1.0 dosemu default configuration: Local root vuln
From: peak () ARGO TROJA MFF CUNI CZ (Pavel Kankovsky)
Date: Sat, 4 Mar 2000 18:11:30 +0100
On Tue, 2 Mar 100 suid () SUID KG wrote:
Local users can take advantage of a packaging and configuration error (which has been known and documented for a long time) to execute arbitrary commands as root.
I can not speak for DOSEMU developers but it is my impression you are supposed to know what you are doing, what risk you accept (and the risk in far from negligible), and the ways the risk can be mitigated ("secure on", "dpmi off" (*), /etc/dosemu/users) if you install DOSEMU setuid root, and that installing it in this way by default in the name of user- friendliness or whatever is a VERY BAD THING. Whether the package includes system.com binary or not is irrelevant (**). Yes, I know Corel is not the only vendor who is guilty--even if we limit ourselves to Linux distros (in fact, the package in question is probably an unmodified Debian package). (*) I wonder whether newer versions of doc/README/SECURITY mention that (at least according to what I heard from Hans Lermen) DPMI programs can invoke Linux syscalls directly and circumvent any walls DOSEMU itself raised to protect itself (unless some incredibly creative protection was invented since version 0.97). (**) As long as a user can make the virtual machine execute arbitrary code (I'd like to see a useful installation making this impossible), he can create and run his own program calling the problematic subfunction of interrupt 0xE6 (or doing other nasty things). --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
Current thread:
- Corel Linux 1.0 dosemu default configuration: Local root vuln suid () SUID KG (Mar 02)
- Re: Corel Linux 1.0 dosemu default configuration: Local root vuln VaMPiRe, WHiTe (Mar 02)
- Re: Corel Linux 1.0 dosemu default configuration: Local root vuln Seth R Arnold (Mar 03)
- (BisonWare FTP Server V3.5 Roses Labs Security Advisory) is a old reported thing Ussr Labs (Mar 06)
- Re: Corel Linux 1.0 dosemu default configuration: Local root vuln Michael Meskes (Mar 07)
- TFN2K Analysis - Update 1.3 Jason Barlow (Mar 07)
- Re: Corel Linux 1.0 dosemu default configuration: Local root vuln Pavel Kankovsky (Mar 04)
- <Possible follow-ups>
- Re: Corel Linux 1.0 dosemu default configuration: Local root vuln Nate Eldredge (Mar 05)