Local root exploit in SuSE Linux 8.2Pro

From: Stefan Nordhausen (deletethis.nordhaus_at_informatik.hu-berlin.de)
Date: 10/06/03

  • Next message: Wojciech Purczynski: "[PAPER] Juggling with packets: floating data storage" 
    To: bugtraq@securityfocus.com
Date: Mon, 6 Oct 2003 15:08:02 +0200

    Affected:               SuSE Linux 8.2Pro
    Not affected:           SuSE Linux 7.3Pro, non-SuSE distributions
    Possibly affected:      other SuSE distributions
    Vulnerable package:     susewm

    Impact:                 Local user can gain root privileges
    Exploit type:           Symlink attack
    Release date:           October 6th 2003
    Vendor status:          SuSE was contacted on September 4th (> 1 month ago).
                            No SuSE-patch yet.

    A symlink vulnerability exists in the shell script
    /sbin/conf.d/SuSEconfig.susewm, line 86. This shell script is part of the
    "susewm" package. This package is required by the package "kdebase3", so if
    KDE3 is installed on your system(s), you should be vulnerable.

    This vulnerability can be used by a local attacker to gain root privileges. An
    exploit has already been written by me, but I will not release it before
    October 20th.

    Workaround:
    As there is no SuSE patch available yet, you will have to fix this yourself.
    You can use the following quick'n'dirty patch to fix the issue. Note however
    that I am NOT responsible if you mess up your system! You should know what
    you're doing!

    In the mentioned script you should replace _every_ occurrence of

    $r/tmp/susewm.$$

    with the following:

    $r/root/susewm.$$

    It's not pretty, but it should work.

    This advisory, contact information and the exploit can be found at
    http://www.hu-berlin.de/~nordhaus/sec/vul/index.html 

    --
You cannot spell "believe" without "lie".
  • Next message: Wojciech Purczynski: "[PAPER] Juggling with packets: floating data storage"

    Relevant Pages