-----BEGIN PGP SIGNED MESSAGE----- Subject: Caldera Security Advisory SA-1997.13: Vulnerability in the "abuse" Caldera Security Advisory SA-1997.13 Original report date: 15-Jul-1997 RPM build date: 29-Jul-1997 Original issue date: 19-Aug-1997 Topic: Vulnerability in the game "abuse" I. Problem Description There is a security vulnerability which installs the game abuse, /usr/lib/games/abuse/abuse.console suid root. The abuse.console program loads its files without absolute pathnames, assuming the user is running abuse from the /usr/lib/games/abuse directory. One of these files is the undrv program, which abuse executes as root. If the user is not in the abuse directory when running this, an arbitrary program can be substituted for undrv, allowing the user to execute arbitrary commands as root II. Impact An unprivileged user can execute commands as root, or open a shell as root. Abuse was distributed on the following OpenLinux releases: CND 1.0 Base 1.0 Lite 1.1 Base 1.1 Standard 1.1 To determine if you are effected and need this update you may do the following: rpm -q abuse If the results show abuse-1.10-1 then you will need to update. III. Solution As a temporary workaround, you can remove the suid bit from abuse (chmod -s /usr/lib/games/abuse/abuse.console). This will fix the problem, but will render the abuse.console game unusable to anyone except root. A better solution is to install the new abuse-1.10-2 package that contains the fixed version of abuse. It can be found on Caldera/s FTP server. (ftp.caldera.com): /pub/openlinux/updates/1.1/current/RPMS/abuse-1.10-2.i386.rpm Source files are also available at: /pub/openlinux/updates/1.1/current/SPMS/abuse-1.10-2.src.rpm The MD5 checksums (from the "md5sum" command) for these packages are: dcfb1fc36d12f1dff9b137a96e0a92fd RPMS/abuse-1.10-2.i386.rpm 7ef5241a09f955bb7fe16abca716afac SRPMS/abuse-1.10-2.src.rpm Changes in abuse-1.10-2 were: * remove the setuid bit from /usr/lib/games/abuse/abuse.console * added a secure setsuid wrapper /usr/games/abuse CND will need to upgrade to a newer version of the RPM tool to install this package. See: ftp://ftp.caldera.com/pub/cnd-1.0/updates/rpm-upgrade.README IV. References / Credits David Meltzer http://www.reptile.net/linux/abuse-exploit.txt This advisory closes Caldera's internal bug report #801 V. PGP Signature This message was signed with the PGP key for . This key can be obtained from: ftp://ftp.caldera.com/pub/pgp-keys/ Or on an OpenLinux CDROM under: /OpenLinux/pgp-keys/ $Id: SA-1997.13,v 1.1 1997/08/19 16:08:52 ron Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBM/nFZen+9R4958LpAQEmWAP9FGNHciZ0Suv0BIawlutzSpS09Vvamt3P FhTZuGifVSKV8jWjDx3Z+zBcntiCEgWeqPMffgg5qupwrEa3PMdxJi3gC0FBpe6Z SIDNa2ZwDbgJKjoerYC8SmeCmIzQM1zIjXx2k5gX7YUVO49i7ebcp2EjIDmW+CaP ch2kg08waOM= =6BAf -----END PGP SIGNATURE-----