>Number:         4489
>Category:       bin
>Synopsis:       /usr/games/fish allows setuid games binaries to be created by unprivileged user
>Confidential:   yes
>Severity:       critical
>Priority:       high
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Nov 14 05:50:04 1997
>Last-Modified:
>Originator:     Mika Nystroem
>Organization:
	Department of Computer Science
	California Institute of Technology
>Release:        Oct. 26, 1997
>Environment:
	
System: NetBSD saxophone.cs.caltech.edu 1.3_ALPHA NetBSD 1.3_ALPHA (PENTAMATIC) #10: Sun Oct 26 05:18:51 PST 1997 root@saxophone.cs.caltech.edu:/usr/src/sys/arch/i386/compile/PENTAMATIC i386


>Description:
	/usr/games binaries are invoked by dm, which is setuid games.
fish doesn't change its uid back (this is my understanding of how this
works, anyhow).  By using a permissive SHELL (at least I had to change
it from /usr/local/bin/tcsh), it is possible to make fish, when it lets
you read the instructions, spawn vi.  From vi, you can enter ex-mode
and cp /bin/sh to /tmp and then chmod 4711 /tmp/sh.  This gives a 
setuid games shell.  From here, an intruder could implant a trojan 
in /usr/games/fortune, for instance...

I checked this on a plain out-of-the-box install of 1.3_ALPHA, so I'm
pretty sure it's not a local configuration problem.
>How-To-Repeat:
	Obvious from the above.
>Fix:
	There are many ways to do this........  nothing spectacularly
elegant comes immediately to mind.
>Audit-Trail:
>Unformatted: