[4501] in bugtraq
SunOS exploit.
daemon@ATHENA.MIT.EDU (Trevor Linton)
Mon May 19 10:52:58 1997
Date: Sun, 18 May 1997 13:36:00 +0000
Reply-To: Trevor Linton <blind@SEDATED.NET>
From: Trevor Linton <blind@SEDATED.NET>
To: BUGTRAQ@NETSPACE.ORG
On sunos, if you execute a clean bash shell then type, export USER="root"
then USER=$LOGNAME, then execute chsh root or chfn root you can change
the root information.
Why?
Well first off chsh and chfn are +s'ed. This is a bad idea in the first
Place, Second off chsh and chfn use the function getenv("USER") most
programs bother to use this instead of geteuid(); getenv("USER") reports
that the user is root (while geteuid(); would report the real userid) and
then since chsh and or chfn is +s'ed it'll change root's shell user
information or ANYONE on the system's information!
On the SunOS system i have i've been able to lock out ANYONES shell
using this exploit and locking out root's shell as well as changing
anyones NAME info in /etc/passwd etc.. etc.. any program that uses
getenv("USER") is vunerable (that's in bash). tcsh and some other
shells i remember don't allow USER and LOGNAME modifying. :\
Anyways here's a rough patch:
1) -s the programs that use getenv(); such as chsh and chfn
2) remove getenv() and replace it with geteuid();
3) possibly get the programmers of bash to fix it so USER and
LOGNAME can't be modified unless it's super-user.
I'm sure theres a way to get root from this exploit butta.. :) oh well.
Trevor Linton (blind) - blind@sedated.net support@hax0r.org
Swingin' Utters. a juvenile product of the working class.
"People who are having trouble communicating should just shuttup"
