Recently looking through the source of the suid root game called Lizards I
noticed a vunerablity which is incredibly trivial to allow regular users
at the console gain unauthorized root access.
The exploitable code is found in the main portion of the code, on the
second last line in fact:
--- ...system("clear"); return EXIT_SUCCESS; }
---As this program does not seem anywhere through relinquish root privilidges, it executes "clear" (supposed to be /usr/bin/clear) as root, assuming everything is cool. Simple changing of the users PATH environment variable to something like PATH=.:/usr/games/lizardlib, then creating a symlink (or a sh script) called "clear" that executes a shell of your liking, will cause that command to be executed as root when the program exits. Voila, a root shell.
Of course this requires the game to run smoothly. This game comes with Slackware 3.4 in the y package.
Lame fix: chmod -s /usr/games/lizardlib/lizardshi Better fix: Change the source code, recompile lizards to reference "clear" absoloutley.
Regards suid@stealth.com.au