[5571] in bugtraq
Vunerability in Lizards game
daemon@ATHENA.MIT.EDU (SUID)
Wed Nov 12 13:51:58 1997
Date: Wed, 12 Nov 1997 16:30:03 +1100
Reply-To: SUID <suid@BOMBER.STEALTH.COM.AU>
From: SUID <suid@BOMBER.STEALTH.COM.AU>
To: BUGTRAQ@NETSPACE.ORG
Greetings.
Recently looking through the source of the suid root game called Lizards I
noticed a vunerablity which is incredibly trivial to allow regular users
at the console gain unauthorized root access.
The exploitable code is found in the main portion of the code, on the
second last line in fact:
---
...
system("clear");
return EXIT_SUCCESS;
}
---
As this program does not seem anywhere through relinquish root
privilidges, it executes "clear" (supposed to be /usr/bin/clear) as root,
assuming everything is cool. Simple changing of the users PATH environment
variable to something like PATH=.:/usr/games/lizardlib, then creating a
symlink (or a sh script) called "clear" that executes a shell of your
liking, will cause that command to be executed as root when the program
exits. Voila, a root shell.
Of course this requires the game to run smoothly. This game comes with
Slackware 3.4 in the y package.
Lame fix: chmod -s /usr/games/lizardlib/lizardshi
Better fix: Change the source code, recompile lizards to reference "clear"
absoloutley.
Regards
suid@stealth.com.au
