Very Computer

r00t advisory                                           [ sol 2.5 su(1M) ]
                                                        [ Aug 25 1996    ]

-- Synposis
There exists a vunerability in the su(1M) program that will allow any user
to execute arbitray commands as r00t.  To expliot this vunerability the
malicious hacker must have already obtained sgid sys (not too hard to do!).
If sulog doesn't yet exist, su will create it and then chown() it rather than
fchown() it resulting in an easily exploitable race condition.

-- Exploitability
r00t has tested this vunerability and successfully run the id(1) program as
euid r00t from a non root account.  A simple C program that unlinks the sulog
and copies your favorite bin and chmod 4755's it works quite effectively.
We have been able to win the race on normally the 4th or 5th try.

-- Fixes ?
Our suggestion is to move back to a secure 4.2BSD based operating system -- or
perhaps just undefine sulog in /etc/default/su or spend a few minutes writing
your own version of su.

r00t -- we're all idiots.

Quote:>There exists a vunerability in the su(1M) program that will allow any user
>to execute arbitray commands as r00t.  To expliot this vunerability the
>malicious hacker must have already obtained sgid sys (not too hard to do!).

--
-Gary Mills-    -Unix Support-    -U of M Academic Computing and Networking-

Quote:

> r00t advisory                                              [ sol 2.5 su(1M) ]
>                                                    [ Aug 25 1996    ]
...
> To expliot this vunerability the
> malicious hacker must have already obtained sgid sys (not too hard to do!).

% /bin/ls -ld /usr /etc
drwxrwxr-x  24 root     sys         3584 Aug 27 10:01 /etc
drwxrwxr-x  33 root     sys         1024 Mar 19 14:16 /usr

so if they've got gid sys they don't need to mess with su.

-Peter Tribble