Red Hat Bugzilla – Bug 21819
xlock runs fortune command.
Last modified: 2008-05-01 11:37:59 EDT
When xlock is running, it may run the fortune command for one of its screen
savers. The fortune program on redhat 6.2 resides in /usr/games. By
default this is not in anybodies $PATH. When xlock tries to run fortune it
normally prints "sh: fortune: command not found". To test a theory I
created a file in /bin called fortune. It included the following.
[root@inflammation /bin]# cat fortune
cp /bin/bash /tmp
chmod +s /tmp/bash
After a few times of running xlock, it ran fortune and actually ran
fortune. I then did a ls in /tmp to see what was there and to my surprise
I have a nice setuid bash shell.
[root@inflammation /bin]# ls -l /tmp
-rwsr-sr-x 1 root root 316848 Dec 6 11:28 bash
I realize that by default it would be hard to put such a script in any of
the standard bin paths (/bin:/usr/bin:/sbin:/usr/sbin etc). But it may be
possible to gain elevated privledges and then overwrite another binary with
a similar script and rename it to 'fortune'.
If you can place s.th. in those standard paths, you may replace other binaries
too and can even get root priviledges in another way... so I say: no bug!