[1072] in linux-security and linux-alert archive
[linux-security] vulnerability in splitvt
daemon@ATHENA.MIT.EDU (Stunt Pope)
Mon Aug 26 07:22:41 1996
From: Stunt Pope <markjr@shmooze.net>
To: linux-security@tarsier.cv.nrao.edu
Date: Sun, 25 Aug 1996 21:32:09 -0400 (EDT)
Cc: cert@cert.org
This may or may not have been reported already. I only
found out about this list _after_ I had been hacked :<
There is a vulnerability in the program splitvt that bundles
with linux slackware that allows any account on the system
that can access a c compiler, get root.
The program used for the exploit in this instance is called
"sl", and the intruder(s) always made sure they deleted the
source as soon as they'd compiled the binary, so I can't
supply that (although I would love to see it).
Once this prog is compiled the exploit is simple as:
$ sl
$ sl
$ splitvt
# tada!
(note the sl prog must be run _twice_, i don't know why).
I did have an opportunity to pick the intruder's brains about
it a little, here's an irc log excerpt:
> what's the sl prog?
<Snoopy> Its the exploit I was telling you about
> hows it work?
<Snoopy> It sets up to run splitvt and shells out to root when it runs suid root<Snoopy> to use it just type
<Snoopy> sl
<Snoopy> sl
<Snoopy> splitvt
<Snoopy> And presto, root
> and how do you get the root shell from that?
<Snoopy> Well when splitvt runs it runs over to a suid root level
> did you bring the sl prog in yourself and it exploits a bug in splitvt?
> ok
<Snoopy> so the program just manipulates that to give you a root shell
> so you brought the prog in
<Snoopy> yup
> you never cracked the root passwd then
<Snoopy> Nope
<Snoopy> I never needed it
<Snoopy> I could have got it in time
<Snoopy> with the sniffer