Hello I am not sure if this had been published is so im sorry but while searching on some security sites i found this advisory and root exploit for suse 6.* This is not mine and i do not take credit for it. L0ki =================== TESO Security Advisory 2000/03/14 kreatecd local root compromise Summary =================== A vulnerability within the kreatecd application for Linux has been discovered. An attacker can gain local root-access. Systems Affected =================== Any system which has kreatecd installed as set-UID root. This affects also a configure; make; make install procedure. Among the vulnerable distributions (if the package is installed) are the following systems: Halloween Linux Version 4 SuSE 6.x Tests =================== [stealth@liane stealth]$ stat `which kreatecd` File: "/usr/bin/kreatecd" Size: 229068 Filetype: Regular File Mode: (4755/-rwsr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Device: 3,1 Inode: 360053 Links: 1 Access: Tue Mar 14 14:48:21 2000(00000.00:00:45) Modify: Tue Mar 14 14:48:21 2000(00000.00:00:45) Change: Tue Mar 14 14:48:21 2000(00000.00:00:45) [stealth@liane stealth]$ id uid=500(stealth) gid=500(stealth) groups=500(stealth) [stealth@liane stealth]$ /tmp/kreatur (... some diagnostic messages ...) Creating suid-maker... Creating boom-shell... Execute kreatecd and follow the menus: Configure -> Paths -- change the path for cdrecord to /tmp/xxx Apply -> OK Configure -> SCSI -> OK Execute /tmp/boomsh BEHAVE! (poking around with GUI...) [stealth@liane stealth]$ /tmp/boomsh [root@liane stealth]# id uid=0(root) gid=500(stealth) groups=500(stealth) [root@liane stealth]# Impact =================== An attacker may gain local root-access to a system where vulnerable kreatecd package is installed. It might be difficult for an remote- attacker who gained local user-access due to the GUI-nature of the vulnerable program. I appreciate help with some tips how one can get an instant rootshell without clicking around. Explanation =================== Kreatecd which runs with the saved user-id of 0 blindly trusts path's to cd-recording software given by unprivileged user. It then invokes this software with EUID of 0 when user just clicks a little bit around with the menus. Solution =================== The author and the distributor has been informed before. Remove the suid bit of kreatecd. Acknowledgments ================ The bug-discovery and the demonstration programs are due to S. Krahmer [1]. This advisory has been written by S. Krahmer. Contact Information =================== The TESO crew can be reached by mailing to teso@coredump.cx. Our web page is at https://teso.scene.at/ C-Skills developers may be reached through [1]. References =================== [1] S. Krahmer, C-Skills http://www.cs.uni-potsdam.de/homepages/students/linuxer/ [2] TESO http://teso.scene.at or https://teso.scene.at/ Disclaimer =================== This advisory does not claim to be complete or to be usable for any purpose. Especially information on the vulnerable systems may be inaccurate or wrong. The supplied exploit is not to be used for malicious purposes, but for educational purposes only. This advisory is free for open distribution in unmodified form. Articles that are based on information from this advisory should include link [1] and [2]. Exploit =================== We've created a working demonstration program to exploit the vulnerability. The exploit is available from http://teso.scene.at/ or https://teso.scene.at/ and http://www.cs.uni-potsdam.de/homepages/students/linuxer <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HEAD> <META content="text/html; charset=iso-8859-1" http-equiv=Content-Type> <META content="MSHTML 5.00.2920.0" name=GENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=#ffffff> <DIV><FONT face=Arial size=2>Hello</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>I am not sure if this had been published is so im sorry but while searching on some security sites i found this advisory and root exploit for suse 6.*</FONT></DIV> <DIV><FONT face=Arial size=2>This is not mine and i do not take credit for it.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>L0ki</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>===================</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>TESO Security Advisory2000/03/14 </FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>kreatecd local root compromise</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>Summary<BR>===================</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2> A vulnerability within the kreatecd application for Linux has been discovered. An attacker can gain local root-access.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>Systems Affected===================</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2> Any system which has kreatecd installed as set-UID root. This affects also a configure; make; make install procedure.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2> Among the vulnerable distributions (if the package is installed) are the following systems:</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2> Halloween Linux Version 4 SuSE 6.x</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>Tests<BR>===================</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2> [stealth@liane stealth]$ stat `which kreatecd` File: "/usr/bin/kreatecd" Size: 229068 Filetype: Regular File Mode: (4755/-rwsr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Device: 3,1 Inode: 360053 Links: 1 Access: Tue Mar 14 14:48:21 2000(00000.00:00:45) Modify: Tue Mar 14 14:48:21 2000(00000.00:00:45) Change: Tue Mar 14 14:48:21 2000(00000.00:00:45) [stealth@liane stealth]$ id uid=500(stealth) gid=500(stealth) groups=500(stealth) [stealth@liane stealth]$ /tmp/kreatur (... some diagnostic messages ...) Creating suid-maker...<BR> Creating boom-shell...</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2> Execute kreatecd and follow the menus: Configure -> Paths -- change the path for cdrecord to /tmp/xxx Apply -> OK<BR> Configure -> SCSI -> OK</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2> Execute /tmp/boomsh</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2> BEHAVE! <BR> (poking around with GUI...) [stealth@liane stealth]$ /tmp/boomsh [root@liane stealth]# id<BR> uid=0(root) gid=500(stealth) groups=500(stealth) [root@liane stealth]#</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>Impact<BR>===================</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2> An attacker may gain local root-access to a system where vulnerable kreatecd package is installed. It might be difficult for an remote- attacker who gained local user-access due to the GUI-nature of the vulnerable program.<BR> I appreciate help with some tips how one can get an instant rootshell without clicking around.<BR> </FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>Explanation===================</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2> Kreatecd which runs with the saved user-id of 0 blindly trusts path's to cd-recording software given by unprivileged user. It then invokes this software with EUID of 0 when user just clicks a little bit around with the menus.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>Solution<BR>===================</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2> The author and the distributor has been informed before. Remove the suid bit of kreatecd.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>Acknowledgments<BR>================</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2> The bug-discovery and the demonstration programs are due to S. Krahmer [1]. This advisory has been written by S. Krahmer.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>Contact Information===================</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2> The TESO crew can be reached by mailing to <A href="mailto:teso@coredump.cx">teso@coredump.cx</A>. Our web page is at <A href="https://teso.scene.at/">https://teso.scene.at/</A> C-Skills developers may be reached through [1].</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>References<BR>===================</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2> [1] S. Krahmer, C-Skills <A href="http://www.cs.uni-potsdam.de/homepages/students/linuxer/">http://www.cs.uni-potsdam.de/homepages/students/linuxer/</A></FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2> [2] TESO <A href="http://teso.scene.at">http://teso.scene.at</A> or <A href="https://teso.scene.at/">https://teso.scene.at/</A> </FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>Disclaimer===================</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2> This advisory does not claim to be complete or to be usable for any purpose. Especially information on the vulnerable systems may be inaccurate or wrong. The supplied exploit is not to be used for malicious purposes, but for educational purposes only.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2> This advisory is free for open distribution in unmodified form. Articles that are based on information from this advisory should include link [1] and [2].</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>Exploit<BR>===================</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2> We've created a working demonstration program to exploit the vulnerability.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2> The exploit is available from</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2> <A href="http://teso.scene.at/">http://teso.scene.at/</A> or <A href="https://teso.scene.at/">https://teso.scene.at/</A></FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2> and <BR> <A href="http://www.cs.uni-potsdam.de/homepages/students/linuxer">http://www.cs.uni-potsdam.de/homepages/students/linuxer</A></FONT></DIV></BODY> <HR> <UL> <LI>application/octet-stream attachment: kreatur.pl </UL> -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/