[14348] in bugtraq
Re: Exploit for Mandrake 6.1 (PAM/userhelper bug)
daemon@ATHENA.MIT.EDU (Darron Froese)
Mon Mar 20 05:50:05 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Message-Id: <B4F7A42B.7F4C%darron@froese.org>
Date: Fri, 17 Mar 2000 08:58:19 -0700
Reply-To: Darron Froese <darron@FROESE.ORG>
From: Darron Froese <darron@FROESE.ORG>
X-To: Paulo Ribeiro <prrar@NITNET.COM.BR>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <38CED5CD.1BBB8769@nitnet.com.br>
on 3/14/00 5:14 PM, Paulo Ribeiro at prrar@NITNET.COM.BR wrote:
> * DESCRIPTION:
> * -----------
> * Mandrake Linux 6.1 has the same problem as Red Hat Linux 6.x but its
> * exploit (pamslam.sh) doesn't work on it (at least on my machine). So,
> * I created this C program based on it which exploits PAM/userhelper
> * and gives you UID 0.
> *
> * SYSTEMS TESTED:
> * --------------
> * Red Hat Linux 6.0, Red Hat Linux 6.1, Mandrake Linux 6.1.
> *
> * RESULTS:
> * -------
> * [prrar@linux prrar]$ id
> * uid=501(prrar) gid=501(prrar) groups=501(prrar)
> * [prrar@linux prrar]$ gcc pam-mdk.c -o pam-mdk
> * [prrar@linux prrar]$ ./pam-mdk
> * sh-2.03# id
It appears that Mandrake 6.0 is vulnerable too:
[darron@maul darron]$ gcc pam-mdk.c -o pam-mdk
[darron@maul darron]$ ./pam-mdk
sh-2.03# id
uid=0(root) gid=502(admin) groups=502(admin)
sh-2.03#
[darron@maul /etc]$ cat mandrake-release
Linux Mandrake release 6.0 (Venus)
--
Darron
darron@froese.org
<http://darron.froese.org/>
