[952] in linux-security and linux-alert archive
Re: [linux-security] Security hole in Abuse game (in RedHat 2.1)
daemon@ATHENA.MIT.EDU (Alan Cox)
Thu Jul 25 04:32:29 1996
From: Alan Cox <alan@cymru.net>
To: tim@webxs.com (Tim Wilfong)
Date: Wed, 24 Jul 1996 13:15:05 +0100 (BST)
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <31F47454.6FD75B1C@webxs.com> from "Tim Wilfong" at Jul 22, 96 11:42:28 pm
> Here's one that I never would have thought of until it hit me! There is a
> security hole in the game called Abuse that is shipped in the RedHat 2.1
> distrubution (others?) that allows a hacker to create an suid root shell.
>
> This game is usualy installed in /usr/lib/games/abuse. If you have it on a
> sensitive system, get rid of it. There is a shell script floating around
> that makes it fairly easy for even novice hackers to use this hole.
Correct. The abuse bug is well known and a fixed abuse was put out months
ago. Its in the redhat upgrades set, and noted on the redhat notes. If you
are running an OS (any OS) _PLEASE_ keep up to date with vendor info.
> I found (there have been requests for this list in the past right?):
> network: rcp, rlogin, rsh, traceroute, sliplogin, timedc, ping.
If you are running an old old setup make sure you have the 3.0.3 fixed
rlogin (this is a really nasty one - the old netkit rlogin client strcpy's
TERM into a fixed 2K buffer. That also applies to *BSD (just been fixed) and
probably to every 'commercial' vendor who will no doubt fix it in a decade
or two.
Older sliplogin's also had some IFS and ENV= exploits.
Alan
[REW: Yes, make sure that you have the newest netkit. Allow me to
ramble a little. Some systems require such high security standards,
that they should upgrade every subsystem that has a "known hole".
This does require effort from the administrator, which may not be
worth the trouble (maybe the security requirements are such that an
occasional eye on the log files is considered enough). In that
situation you would occasionally upgrade your whole system and hope to
get rid of most holes. I find it therefore VERY important that fixes
get back to the maintainers: there is nothing more frustrating than
fixing a bug and finding out that an old hole is still present.....
David Holland remarks that lpr has bugs. Is that also the case in
the linux version? Is LPRng or PLP beter?]