r00t advisory [ sol 2.5 su(1M) ] [ Aug 25 1996 ] -- Synposis There exists a vunerability in the su(1M) program that will allow any user to execute arbitray commands as r00t. To expliot this vunerability the malicious hacker must have already obtained sgid sys (not too hard to do!). If sulog doesn't yet exist, su will create it and then chown() it rather than fchown() it resulting in an easily exploitable race condition. -- Exploitability r00t has tested this vunerability and successfully run the id(1) program as euid r00t from a non root account. A simple C program that unlinks the sulog and copies your favorite bin and chmod 4755's it works quite effectively. We have been able to win the race on normally the 4th or 5th try. -- Fixes ? Our suggestion is to move back to a secure 4.2BSD based operating system -- or perhaps just undefine sulog in /etc/default/su or spend a few minutes writing your own version of su. r00t -- we're all idiots.