From: Vitalik N. (robert.morris.jr@gmail.com)
Date: Sat Jun 30 2007 - 07:23:59 EDT
Hi
I was doing pen testing the other day and I found one root suid script
left by some of the web developers:
-rwsr-x--x 1 root users /home/web/c.cgi
which is basically a bash script:
------ cut ------------
#!/bin/sh
uname
------ cut ------------
And our system was recently compromised. Some local user was able to
gain root access. Could this script be the way of gaining root access?
According to http://www.unix.com/tips-and-tutorials/36711-the-whole-story-on-usr-bin-ksh.html
"Because it was not possible to write a secure suid shell script, the concept
of suid shell scripts was removed from Unix." But then it says "Solaris now
supports suid shell" !
I tried modifying the PATH variable and creating my own "uname" program.
But my uname program runs with local user privs instead of root. I
also tried the
other attack described in the link above: "link to -i" but this didn't
work as well.
So could this script be the problem?
P.S: The machine runs SunOS 5.6 with all updates
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer
http://www.cenzic.com/wf-spi
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:55 EDT