r00t advisory [ sol 2.5 su(1M) ]
[ Aug 25 1996 ]
There exists a vunerability in the su(1M) program that will allow any user
to execute arbitray commands as r00t. To expliot this vunerability the
malicious hacker must have already obtained sgid sys (not too hard to do!).
If sulog doesn't yet exist, su will create it and then chown() it rather than
fchown() it resulting in an easily exploitable race condition.
r00t has tested this vunerability and successfully run the id(1) program as
euid r00t from a non root account. A simple C program that unlinks the sulog
and copies your favorite bin and chmod 4755's it works quite effectively.
We have been able to win the race on normally the 4th or 5th try.
-- Fixes ?
Our suggestion is to move back to a secure 4.2BSD based operating system -- or
perhaps just undefine sulog in /etc/default/su or spend a few minutes writing
your own version of su.
r00t -- we're all idiots.