Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: VULN-DEV Digest - 22 Mar 2000 to 23 Mar 2000 (#2000-61)

From: nekr0tek () YAHOO COM (Devil Man)
Date: Fri, 24 Mar 2000 16:53:49 -0800

Would love to give it a try but I am not a C or C++ programer just a lowly
shell programer and maybe some perl, anyone want to give a better exploit i'll
try it it is important to me as I ADMIN over 100 redhat servers, we do not use
mail from the linux console so not a real big deal but still interested.

you can e-mail me directly if worried bout posting a full exploit to the list.

nekr0tek () yahoo com



From what I can tell, jan is putting an executable into
/var/mail/myusername that does:

setgid(6);
system("/bin/sh");

and is setting it setgid, then redhat comes along and chgrp's it to
group mail, which then can be executed to gain a shell that has
mail-group access.  Since I don't run RedHat here I couldnt try it, but
the SuSE system I tried it on has all of the mailbox files's group set
to the users default group so it obviously doesnt work.  Any RedHat
users want to give it a try?

-HD

http://www.secureaustin.com


jan bakker wrote:


hello fello root's,

one day i found that redhat 6.1 takes not only suid bits but also guid.

you are owner of your mail file but it still belongs to the group mail

so

void(){
set suid bit to user;
set guid bit to 6;
}

compile it and move it to

/var/mail/user
chmod 4700 /var/mail/user
...

result:
reddog@home$id
uid 300(me),gid 40(users)
reddog@home$cd /var/mail
reddog@home$me
reddog@home$id
uid(300),gid 6(mail)

now you can read other people mail but,
6 is lower than 15 so at some systems you can add new users !!!
even a root user !!!

red

p.s. it is noted verry badly this becouse else newbies and dipshits use it
on schools. The good guys get the picture.




=====
"I am not lost, I am merely exploring alternative destinations!"

__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com
Previous By Date Next
Previous By Thread Next

Current thread: