[950] in linux-security and linux-alert archive
[linux-security] Security hole in Abuse game (in RedHat 2.1)
daemon@ATHENA.MIT.EDU (Tim Wilfong)
Wed Jul 24 06:47:10 1996
Date: Mon, 22 Jul 1996 23:42:28 -0700
From: Tim Wilfong <tim@webxs.com>
To: linux-security@tarsier.cv.nrao.edu
Here's one that I never would have thought of until it hit me! There is a
security hole in the game called Abuse that is shipped in the RedHat 2.1
distrubution (others?) that allows a hacker to create an suid root shell.
This game is usualy installed in /usr/lib/games/abuse. If you have it on a
sensitive system, get rid of it. There is a shell script floating around
that makes it fairly easy for even novice hackers to use this hole.
[REW: For a secure system, you should always check if you don't have
too many setuid programs lying around. At one time I tried looking for
security holes in setuid programs, and it turned out that only a few
were not exploitable..... Use
find / -perm -4000 > /tmp/setuid.programs
and see wether you find any that you'll never use. (remove them or
remove just the suid bit.) I just found a set of VGA-console programs
that have setuid-root bits. I don't have a VGA monitor, so I'll never
run those. These are an uneccesary risk to my system.
I found (there have been requests for this list in the past right?):
at/cron/printing: at, crontab, lpq, lpr, lprm.
passwd file: passwd, npasswd, newgrp, su, chfn, chsh, login.
mail, news: mh/inc, mh/msgchk, procmail, inndstart, sendmail.
vga console: zgv, koules[.svga], zapem, vga_klondike, vga_ohelll,
vga_solitaire, vga_spider, tetris, sdoom, vga_connectN, vga_mines,
vga_othello, abuse/keydrv.
network: rcp, rlogin, rsh, traceroute, sliplogin, timedc, ping.
mount: mount, umount.
X: XF86_[servers], rxvt, SuperProbe, xterm, nxterm.
I also found "xload", whose setuid-bit I removed. kmem-based xload
implementations should've had a setgid-kmem xload, where the
kmem group has read acces too /dev/kmem.]
-----------------------------------------------------------------------------
Tim Wilfong (tim@webxs.com) Local WebXS access numbers:
XS Communications Santa Maria, Nipomo, Arroyo Grande, Pismo
(805) 929-7220
http://www.webxs.com/ San Luis Obispo, Avila Beach
info@webxs.com sales@webxs.com (805) 481-7202
For questions or support, call our voice lines: Nipomo 929-7200, SLO 595-9233
-----------------------------------------------------------------------------