From the debian-hams mailing list posting:
The hf package, Described by Debian as an amateur-radio protocol suite
using a soundcard as a modem, is a program that eventually becomes
setuid(0), and has a trivial security hole in it.
By default the package installs "/usr/bin/hfkernel" as a typical binary,
but when first started via the program "hf" the binary is changed to
be setuid(root).
[...]
Unfortunately the hfkernel program contains a trivial root hole:
int main(int argc, char *argv[])
{
// snip
while ((c = getopt(argc, argv, "a:M:c:klhip:m:nt:s:r:Rf23")) != -1)
switch (c) {
// snip
case 'k':
system ("killall hfkernel");
//
}
Creating ~/bin/killall is sufficient to gain root privileges.
| 