007.txt

007.txt: Posted Feb 25, 2000; Authored by Suid | Site suid.kg; SUID Advisory #7 - Corel xconf utils local root (among others) vulnerability - Local users can take advantage of lack of input validation and the lack of privilege dropping to gain root access, read any file, or perform a denial of service attack on Corel Linux systems.; tags | denial of service, local, root; systems | linux; SHA-256 | e0779a0f39462f1e76553c9a16bd665c4bd32dbc04921ce7b2363ed40212fb1b; Download | Favorite | View

007.txt

suid@suid.kg - Corel xconf utils local root (among others) vulnerability.

Advisory Author:  suid@suid.kg
Software:     Corel Linux 1.0 xconf utilities
URL:      http://linux.corel.com
Version:    Version 1.0
Platforms:    Corel Linux only.

Summary:

  Local users can take advantage of lack of input validation and
  the lack of privilege dropping to gain root access, or perform
  a denial of service attack on Corel Linux systems.

Vulnerabilities:

  There are multiple vulnerabilities. I know I have missed some
  here. For example, I saw some /tmp files being used with the
  return value of time(NULL) as an attempt at selecting a unique
  filename. I haven't written these up here however.

  (1) Appending garbage XF86Config data to any file on the system

      /sbin/buildxconf does no input validation and is setuid root.
      Invoking it with the -f argument, a user can specify a filename
      to output to. Example /etc/shadow.

  (2) Replacing the first line of any existing file with garbage.

            As above, no input validation. When invoked with the -x
            command buildxconf replaces the first line of the specified
            file with the path/filename of an X server. An effective
            denial of service against /etc/passwd root account.

  (3) Create root owned world writable files anywhere on the file system.

      Again, buildxconf does no input validation or directory
      permission checks. specifying -x or -f on a non existent
            filename creates that file mode 0666. Set your umask to 0.

  (4) Executing arbitrary commands with euid root.

      A touch different. /sbin/setxconf allows users to test X configs
      with the -T switch. This process eventually invokes xinit with
      euid root. A quick look at the xinit man page will tell you
      that xinit looks at ~/.xserverrc and will execute things in there
            while starting.

In the interests of keeping this post short I have left the rest of this
advisory off. If your interested in exploit/workaround information visit:
http://www.suid.kg/advisories/007.txt

Regards,
suid@suid.kg

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

007.txt

007.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

007.txt

Share This

007.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems