[473] in Best-of-Security
BoS: Vunerability in Lizards game
daemon@ATHENA.MIT.EDU (SUID)
Sun Nov 16 04:21:03 1997
Delivered-To: best-of-security-mtg@menelaus.mit.edu
Date: Wed, 12 Nov 1997 16:30:03 +1100
Reply-To: SUID <suid@BOMBER.STEALTH.COM.AU>
From: SUID <suid@BOMBER.STEALTH.COM.AU>
Old-X-Originally-To: To: BUGTRAQ@NETSPACE.ORG
Old-X-Originated-From: From: SUID <suid@BOMBER.STEALTH.COM.AU>
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
Greetings.
Recently looking through the source of the suid root game called Lizards I
noticed a vunerablity which is incredibly trivial to allow regular users
at the console gain unauthorized root access.
The exploitable code is found in the main portion of the code, on the
second last line in fact:
---
...
system("clear");
return EXIT_SUCCESS;
}
---
As this program does not seem anywhere through relinquish root
privilidges, it executes "clear" (supposed to be /usr/bin/clear) as root,
assuming everything is cool. Simple changing of the users PATH environment
variable to something like PATH=.:/usr/games/lizardlib, then creating a
symlink (or a sh script) called "clear" that executes a shell of your
liking, will cause that command to be executed as root when the program
exits. Voila, a root shell.
Of course this requires the game to run smoothly. This game comes with
Slackware 3.4 in the y package.
Lame fix: chmod -s /usr/games/lizardlib/lizardshi
Better fix: Change the source code, recompile lizards to reference "clear"
absoloutley.
Regards
suid@stealth.com.au
