[NTLUG:Discuss] Corel Linux

MadHat madhat at unspecific.com
Mon Feb 28 09:43:02 CST 2000 

A recent post to Bugtraq[2] mentions several exploits on Corel Linux. 
I know there are lots of exploit announcements, but I thought this one
was worth pointing out to the list.  If you are running Corel, you can
either disable the commands[1] mentioned, or change to another Distro.

[1] 'chmod'ing is easy, 'chmod 000 /path/to/command', but won't get rid
of the problem, just protect against people using it if they gain access
to your system.  Removing them would work, but may cause problems.

[2] http://www.securityfocus.com/  then click on Forums, then Bugtraq. 
for those who aren't familiar with it:
"BugTraq is a full disclosure moderated mailing list for the *detailed*
discussion and announcement of computer security vulnerabilities: what
they are, how to exploit them, and how to fix them."  *WARNING*  This
can be a high traffic list.


--- QUOTED FROM BUGTRAQ ----

suid at suid.kg - Corel xconf utils local root (among others)
vulnerability.

Advisory Author:        suid at suid.kg
Software:               Corel Linux 1.0 xconf utilities
URL:                    http://linux.corel.com
Version:                Version 1.0
Platforms:              Corel Linux only.

Summary:

        Local users can take advantage of lack of input validation and
        the lack of privilege dropping to gain root access, or perform
        a denial of service attack on Corel Linux systems.

Vulnerabilities:

        There are multiple vulnerabilities. I know I have missed some
        here. For example, I saw some /tmp files being used with the
        return value of time(NULL) as an attempt at selecting a unique
        filename. I haven't written these up here however.

        (1) Appending garbage XF86Config data to any file on the system

            /sbin/buildxconf does no input validation and is setuid
root.
            Invoking it with the -f argument, a user can specify a
filename
            to output to. Example /etc/shadow.

        (2) Replacing the first line of any existing file with garbage.

            As above, no input validation. When invoked with the -x
            command buildxconf replaces the first line of the specified
            file with the path/filename of an X server. An effective
            denial of service against /etc/passwd root account.

        (3) Create root owned world writable files anywhere on the file
system.

            Again, buildxconf does no input validation or directory
            permission checks. specifying -x or -f on a non existent
            filename creates that file mode 0666. Set your umask to 0.

        (4) Executing arbitrary commands with euid root.

            A touch different. /sbin/setxconf allows users to test X
configs
            with the -T switch. This process eventually invokes xinit
with
            euid root. A quick look at the xinit man page will tell you
            that xinit looks at ~/.xserverrc and will execute things in
there
            while starting.

In the interests of keeping this post short I have left the rest of this
advisory off. If your interested in exploit/workaround information
visit:
http://www.suid.kg/advisories/007.txt

Regards,
suid at suid.kg

-- 
%_=split';','f; Perl ;h;st a;o;ker;@;not;.;hac;u;her;d;ju';
print map $_{$_}, split //,
'madhat at unspecific.com'

More information about the Discuss mailing list