Subject: bin/4489: /usr/games/fish allows setuid games binaries to be created by unprivileged user
To: None <email@example.com>
From: Mika Nystroem <firstname.lastname@example.org>
Date: 11/14/1997 05:34:41
>Synopsis: /usr/games/fish allows setuid games binaries to be created by unprivileged user
>Responsible: bin-bug-people (Utility Bug People)
>Arrival-Date: Fri Nov 14 05:50:04 1997
>Originator: Mika Nystroem
Department of Computer Science
California Institute of Technology
>Release: Oct. 26, 1997
System: NetBSD saxophone.cs.caltech.edu 1.3_ALPHA NetBSD 1.3_ALPHA (PENTAMATIC) #10: Sun Oct 26 05:18:51 PST 1997 email@example.com:/usr/src/sys/arch/i386/compile/PENTAMATIC i386
/usr/games binaries are invoked by dm, which is setuid games.
fish doesn't change its uid back (this is my understanding of how this
works, anyhow). By using a permissive SHELL (at least I had to change
it from /usr/local/bin/tcsh), it is possible to make fish, when it lets
you read the instructions, spawn vi. From vi, you can enter ex-mode
and cp /bin/sh to /tmp and then chmod 4711 /tmp/sh. This gives a
setuid games shell. From here, an intruder could implant a trojan
in /usr/games/fortune, for instance...
I checked this on a plain out-of-the-box install of 1.3_ALPHA, so I'm
pretty sure it's not a local configuration problem.
Obvious from the above.
There are many ways to do this........ nothing spectacularly
elegant comes immediately to mind.