Please respond with this mail if for nothing else than just to say "I got
it, I don't give a damn, go away." just so I know you got it...otherwise
I'll resend it every week until I get an ack. (I understand that you're both
very busy and tend to miss mail, I just feel that this is a rather important
problem).
johnc: Sorry if this doesn't pertain directly to you, I just thought
you might like to know of this hole.
I'm not totally certain how to exploit this, and it may not be
exploitable. But I'd bet money that it is exploitable and I figured you'd
like to know before BUGTRAQ. Anyways, now for the explanation.
Zoid moved my vga_init() call, which was in the .c file with the
linux main(), into the svgalib .c file, apparently. While this is more
"clean," (esp. considering my stupd inclusion of vga_init() { } into the
X-specific .c files). The problem is that any program using svgalib
requires to be setuid root. vga_init() is the function that gives up root
access. If you call vga_init() at the beginning of main(), no problemo. If
you call it later then everything executed before vga_init() will be run as
root.
Quake is a very easy program to cause to segfault. If a program can
be made to segfault while it is being run as root, it is almost always
capable to obtain root. There are probably several segfault opportunities,
but the most obvious is in the commandline parsing: "squake -game
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
will segfault you any time.
The fix is simple -- move the vga_init() call back to the beginning
of main. You may want to put the svgalib main stuff into it's own file so
you don't have to do the ugliness of adding a vga_init() { } into the X and
other platform files. It can be temporarily pseudo-fixed by merely doing
chown root.console squake; chmod 4750 squake and make sure that only
trusted individuals are in group console.
FYI, sdoom had a very similar bug that was posted on BUGTRAQ. It
ran its soundserver before relinquishing root, a very bad thing.
If you would like to be the first to release this bug to the press
(BUGTRAQ, linux-alert, linux-security, CERT advisory, etc.) in the form of a
new version of squake, just let me know. Otherwise I was planning on
sending out the word myself.
Also, just a little nit-pick. Now it looks like, on error opening
/dev/cdrom, it has something like:
printf("CDAudio_Init: open of \"/dev/cdrom\" failed(%d)\n",errno);
that error number in ()'s there is pretty useless. people will probably
start seeing "permission denied" errors there if you make the rootness stuff
work reasonably, but they won't have any idea what the error number means.
Maybe change it to something more like:
printf("CDAudio_Init: open of \"/dev/cdrom\" failed(%s)\n",sys_errlist[errno]);
Thank you for reading all of this drivel. Have a nice day.
Greg Alexander
<Tag removed>
----------------------------------------------------------------------
John Carmack responded saying that it was up to Zoid to fix the problem.
Zoid responded by saying that he would have to think of a way to open
/dev/cdrom and /dev/mouse before giving up root. I do not know how
seriously he intends to pursue this, though.
For those in the cc: There is no reason to have root open /dev/cdrom
or /dev/mouse unless you cannot administer a proper linux system.
Greg Alexander
http://www.cia-g.com/~sietch/
----
"I read about monkeys in the encyclopedia as soon as I got home from the
funeral and I wonder if this one throws turds and masturbates all the time
like those monkeys saw it the zoo in San Francisco or if witness monkeys are
more like people."
-- a character in Orson Scott Card and Kathryn H. Kidd's novel,
Lovelock.