Vulnerability Development mailing list archives
Re: 1 Suid-Writeable Root Owned File...Easy Compromise?
From: Ralph Moonen <ralph () TINK ORG>
Date: Sat, 28 Oct 2000 00:39:09 +0200
At 20:05 26-10-00 -0400, Barry Russell wrote:
While messing around with a big web hosting company Sun OS system I came across one(well actually two but too much messing around got that file deleted) and the file was owned root, suid and writeable by all. $ ls -la xu_chown -rwsrwxrwx 1 root root xxxxxx Oct ?? ??:?? xu_chown (variables changed to protect the innocent) The file is a binary file, so after a little more messing around and talking with a few people I was able to construct a perl script that carries the source of one binary to that file so that the permissions would stay the same. Well I did a little bit of playing around with no way of taking 'advantage' of this file. I was wondering since its root/suid/writeable was there anyway to exploit this ? This file might also be the same way on other Sun systems but I have yet to check and see.
As far as I know, it's not exploitable in a quick way, because while the permission stays the same, as soon you modify the file, the ownership changes to you. Of course you can run it in a debugger and it will retain the suid characteristics, meaning that you can manipulate the stack and variables directly (as root) and take advantage like that. --Ralph
Current thread:
- 1 Suid-Writeable Root Owned File...Easy Compromise? Barry Russell (Oct 27)
- Re: 1 Suid-Writeable Root Owned File...Easy Compromise? Ralph Moonen (Oct 29)