EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH SECURITY ALERT - MINIX RECOVER(1) EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH - EMH Security hole in: recover(1) Compromises: root privs Exploitable: locally Quick fix: chmod -s recover Better fix: (see below) Description: There is a hole in the MINIX program recover(1) which allows any local user with access to the program to acquire unauthorised root priviledges. The vulnerability lies in an inproper system call to de(1) which does not use an absolute pathname. Because of the trivial nature of creating an exploit it is advised that all MINIX users install a new and safer recover. Exploit: $ cp gimmeshell ./de $ PATH=. $ /usr/bin/recover foop # Fix: Fix by Chris F. . Patch this on /usr/src/commands/simple/recover.c and recompile. ------CUT HERE------ 19a20 > #include 23a25,26 > #define PATH_DE "/usr/bin/de -r " > 33a37,41 > if (strncmp(getenv("IFS"), "/", sizeof(char))) { > printf("You will not get root that easily!\n"); > exit(1); > } > 37,38c45,46 < strcpy(buf, "de -r "); < strcat(buf, argv[i]); --- > strcpy(buf, PATH_DE)); > strncat(buf, argv[i], sizeof(buf)); ------CUT HERE------ Footers: Report by Chris F. .