Horrendous suidexec hole

Summary
Description:Debian Linux apparently distributes a program called suidexec as part of the suidmanager package. This program is trivially exploitable to run any program on the system as root.
Author:Thomas Roessler <roessler@GUUG.DE>
Compromise: root (local)
Vulnerable Systems:Debian Linux 2.0 (probably won't be in the final 2.0 Hamm release).
Date:28 April 1998
Details


Date: Tue, 28 Apr 1998 15:28:54 +0200
From: Thomas Roessler <roessler@GUUG.DE>
To: BUGTRAQ@NETSPACE.ORG
Subject: [Debian 2.0] /usr/bin/suidexec gives root access

    [The following text is in the "iso-8859-1" character set]
    [Your display is set for the "US-ASCII" character set]
    [Some characters may be displayed incorrectly]

Executive summary: /usr/bin/suidexec gives every user a
root shell.  Remove it.

tlr

----- Forwarded message from Thomas Roessler <roessler@guug.de> -----

Date: Tue, 28 Apr 1998 15:21:17 +0200
From: Thomas Roessler <roessler@guug.de>
Subject: suidmanager: SECURITY BREACH: /usr/bin/suidexec gives root access to every user on the system
To: submit@bugs.debian.org

Package: suidmanager
Version: 0.18

[This report also goes to the bugtraq mailing list.]

/usr/bin/suidexec will execute arbitrary commands as root,
as soon as just _one_ suid root shell script can be found
on the system: Just invoke

         /usr/bin/suidexec <your program> /path/to/script

- it will happily execute your program with euid = 0. This
is completely sufficient for doing arbitrary damage on the
system.

Additionally, suidexec will fail with shells which close
all but the "standard" file descriptorson startup:
/proc/self/fd/<N> (which is the file descriptor suidexec
has opened for the shell script in question) will have
vanished after this.  I am actually considering this a
feature, as it avoids some of the $HOME/.cshrc related
standard exploits.

SOLUTION: Just drop suidexec from the distribution. Trying
to do setuid shell scripts is almost always a bad idea. If
you absolutely need such things, use sudo.

-- System Information
Debian Release: 2.0 (frozen)
Kernel Version: Linux sobolev 2.0.33 #16 Sun Apr 19 23:48:02 MEST 1998 i586 unknown

Versions of the packages suidmanager depends on:
libc6   Version: 2.0.7pre1-4


----- End forwarded message -----

--
Thomas Roessler  74a353cc0b19  dg1ktr  http://home.pages.de/~roessler/
     2048/CE6AC6C1  4E 04 F0 BC 72 FF 14 23 44 85 D1 A1 3B B0 73 C1
Date: Wed, 29 Apr 1998 06:45:19 +1100
From: Russell Coker - mailing lists account <bofh@COKER.COM.AU>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: [Debian 2.0] /usr/bin/suidexec gives root access

>Executive summary: /usr/bin/suidexec gives every user a
>root shell.  Remove it.

  Also change the suidexec line in /etc/suid.conf to the following so it never
gets the SUID bit again: suidmanager /usr/bin/suidexec root root 755
                                       ^^^^
The default is 4755.


---
Vote 1; Claudia Christian.
http://www.worldcharts.nl/xindex.html
Date: Tue, 28 Apr 1998 14:32:54 -0700
From: Joey Hess <joey@KITENET.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: [Debian 2.0] /usr/bin/suidexec gives root access

Russell Coker - mailing lists account wrote:
> >Executive summary: /usr/bin/suidexec gives every user a
> >root shell.  Remove it.
>
>   Also change the suidexec line in /etc/suid.conf to the following so it never
> gets the SUID bit again: suidmanager /usr/bin/suidexec root root 755
>                                        ^^^^
> The default is 4755.

A simpler fix is to just upgrade to suidmanager 0.19 (from
ftp://ftp1.us.debian.org/debian/Incoming/suidmanager_0.19_all.deb), which
removes the suidexec program entirely.

--
see shy jo

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault