Greg Alexander
1997-Apr-23 21:39 UTC
Linux squake security hole (provides root if squake is installed mode 4755)
I''ll just include the letter that I sent to John Carmack and Dave "Zoid" Kirsch concerning this problem. ---------------------------------------------------------------------- From: Greg Alexander <galexand@sietch.bloomington.in.us> Approved: R.E.Wolff@BitWizard.nl To: zoid@threewave.com cc: johnc@idsoftware.com Subject: Security hole in squake. Please respond with this mail if for nothing else than just to say "I got it, I don''t give a damn, go away." just so I know you got it...otherwise I''ll resend it every week until I get an ack. (I understand that you''re both very busy and tend to miss mail, I just feel that this is a rather important problem). johnc: Sorry if this doesn''t pertain directly to you, I just thought you might like to know of this hole. I''m not totally certain how to exploit this, and it may not be exploitable. But I''d bet money that it is exploitable and I figured you''d like to know before BUGTRAQ. Anyways, now for the explanation. Zoid moved my vga_init() call, which was in the .c file with the linux main(), into the svgalib .c file, apparently. While this is more "clean," (esp. considering my stupd inclusion of vga_init() { } into the X-specific .c files). The problem is that any program using svgalib requires to be setuid root. vga_init() is the function that gives up root access. If you call vga_init() at the beginning of main(), no problemo. If you call it later then everything executed before vga_init() will be run as root. Quake is a very easy program to cause to segfault. If a program can be made to segfault while it is being run as root, it is almost always capable to obtain root. There are probably several segfault opportunities, but the most obvious is in the commandline parsing: "squake -game aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" will segfault you any time. The fix is simple -- move the vga_init() call back to the beginning of main. You may want to put the svgalib main stuff into it''s own file so you don''t have to do the ugliness of adding a vga_init() { } into the X and other platform files. It can be temporarily pseudo-fixed by merely doing chown root.console squake; chmod 4750 squake and make sure that only trusted individuals are in group console. FYI, sdoom had a very similar bug that was posted on BUGTRAQ. It ran its soundserver before relinquishing root, a very bad thing. If you would like to be the first to release this bug to the press (BUGTRAQ, linux-alert, linux-security, CERT advisory, etc.) in the form of a new version of squake, just let me know. Otherwise I was planning on sending out the word myself. Also, just a little nit-pick. Now it looks like, on error opening /dev/cdrom, it has something like: printf("CDAudio_Init: open of \"/dev/cdrom\" failed(%d)\n",errno); that error number in ()''s there is pretty useless. people will probably start seeing "permission denied" errors there if you make the rootness stuff work reasonably, but they won''t have any idea what the error number means. Maybe change it to something more like: printf("CDAudio_Init: open of \"/dev/cdrom\" failed(%s)\n",sys_errlist[errno]); Thank you for reading all of this drivel. Have a nice day. Greg Alexander <Tag removed> ---------------------------------------------------------------------- John Carmack responded saying that it was up to Zoid to fix the problem. Zoid responded by saying that he would have to think of a way to open /dev/cdrom and /dev/mouse before giving up root. I do not know how seriously he intends to pursue this, though. For those in the cc: There is no reason to have root open /dev/cdrom or /dev/mouse unless you cannot administer a proper linux system. Greg Alexander http://www.cia-g.com/~sietch/ ---- "I read about monkeys in the encyclopedia as soon as I got home from the funeral and I wonder if this one throws turds and masturbates all the time like those monkeys saw it the zoo in San Francisco or if witness monkeys are more like people." -- a character in Orson Scott Card and Kathryn H. Kidd''s novel, Lovelock.