[27011] in bugtraq
Re: efstool slackware 7.1 local root exploit exploit included
daemon@ATHENA.MIT.EDU (Jeffrey Denton)
Thu Sep 12 12:20:06 2002
Date: Thu, 12 Sep 2002 00:21:27 -0700 (MST)
From: Jeffrey Denton <dentonj@c2i2.com>
To: bugtraq@securityfocus.com
In-Reply-To: <200209110231.g8B2Vk402705@mail17.bigmailbox.com>
Message-ID: <Pine.LNX.4.44.0209112321140.635-100000@alien.dentonj.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 10 Sep 2002, Cloud Ass wrote:
> There exsists a local root in slackware 7.1 in the efstool package, here is
> an exploit. Quick fix just chmod efstool -s. Enough said, any questions feel
> free to e-mail me back.
That's actually kind of interesting, since Slackware 7.1 and previous
versions didn't install efstool or bonobo. Each version of Slackware has a
MANIFEST.gz file which lists everything that is installed during a full install.
The following was performed on a Slackware 8.1 system:
# grep efstool /var/log/packages/*
/var/log/packages/bonobo-1.0.20-i386-1:36:usr/bin/efstool
# ls -l /usr/bin/efstool
- -rwxr-xr-x 1 root bin 14308 May 5 18:44 /usr/bin/efstool*
# ncftpget ftp://ftp.slackware.com/pub/slackware/slackware-7.1/slakware/MANIFEST.gz
MANIFEST.gz: 766.91 kB 4.45 kB/s
# zgrep bonobo MANIFEST.gz
33702:-rw-r--r-- root/root 5279 2000-05-30 01:37
usr/share/glade/gnome/gnome-bonobo-check.m4
# zgrep efstool MANIFEST.gz
#
Compare with Slackware 8.0 and 8.1:
# ncftpget ftp://ftp.slackware.com/pub/slackware/slackware-8.0/slakware/MANIFEST.gz
MANIFEST.gz: 1.37 MB 4.51 kB/s
# zgrep efstool MANIFEST.gz
36086:-rwxr-xr-x root/root 11224 2001-05-20 17:06 opt/gnome/bin/efstool
# ncftpget
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/slackware/MANIFEST.gz
MANIFEST.gz: 1.56 MB 4.37 kB/s
# zgrep efstool MANIFEST.gz
35115:-rwxr-xr-x root/bin 14308 2002-05-05 18:44:05 usr/bin/efstool
After changing the path to efstool in efstool.c, I ran the exploit on Slackware
8.1.
$ gcc -o efstool_exploit efstool.c
$ ./efstool_exploit
Segmentation fault
$
Interesting, but it's hardly a root exploit since efstool is not suid. And
claiming that there is a local root exploit in Slackware 7.1 is just plain
wrong.
Enjoy
dentonj
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9gECUZLAxqqBWfgYRAqL+AJoCuORXVehDHt1E8fqQRqXFPkpS0ACfVgKN
AMN6AryEibmp3SatrOPeM4c=
=WUy4
-----END PGP SIGNATURE-----
