what you don't know can hurt you

Linbert.txt

Linbert.txt
Posted Feb 16, 2000
Authored by Grampa Elite

Linberto v1.0.2 (Q-Bert linux clone) can overwrite any file on the system, via insecure use of /tmp.

tags | exploit
systems | linux
MD5 | ab31ea2dcdf43ae4829995c7d386306f

Linbert.txt

Change Mirror Download

Vulnerability: Any user can overwrite any file in the system.
title=Linberto v1.0.2 (Q-Bert clone)
author=diego@grigna.com (Diego Javier Grigna)
system=Linux, svgalib
foundby=grampae@netwurx.net (Grampa Elite)

Overview: Linberto under default installation creates screenshots under
the /tmp directory when the user presses F1. Take a look at this snippet from
the installation docs.
-------------------------------begin-screenshot.txt----------------------------
When you press F1 anywhere when running the game, a screen shot
of the current screen will be saved to the directory LINBERTO_SCREENSDIR
which is (by default in the Makefile) /tmp/.

The program makes two files:

LINBERTO_SCREENSDIR/linbertossXXXX.raw ---> Which contains the image data
(the byte of each pixel).

and

LINBERTO_SCREENSDIR/linbertossXXXX.pal ---> Which contains the palette in
the format:
"Color index, Red, Green, Blue\n"


The "XXXX" in the filename is a number from 0000 to 9999. Each time a
screen shot is made, the program will try to use the lowest possible
number (0000 by default) if that file exists that number will be incre-
mented by one, until a non existing filename is found.
-------------------------------end-screenshot.txt------------------------------

The problem is that it does not check to see if the file linbertossXXXX.pal
is currently there as Diego says it does, and follows symlinks. Linberto is not
root suid which actually does not matter, since this is a console game for X
that installs executable only by root.
So as an example we would do a "ln -s /etc/passwd /tmp/linbertoss0000.pal"
or any other file you would like to overwrite, and wait for root to play
linberto and take a screen capture. If the linbertossXXXX.pal and .raw
files are already in /tmp, just use the next number.
Login or Register to add favorites

File Archive:

April 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    17 Files
  • 2
    Apr 2nd
    2 Files
  • 3
    Apr 3rd
    2 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    15 Files
  • 7
    Apr 7th
    20 Files
  • 8
    Apr 8th
    16 Files
  • 9
    Apr 9th
    5 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    4 Files
  • 13
    Apr 13th
    15 Files
  • 14
    Apr 14th
    27 Files
  • 15
    Apr 15th
    19 Files
  • 16
    Apr 16th
    7 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close